PoC Released for Critical RCE Vulnerability in Ivanti Endpoint Manager

A recently disclosed critical remote code execution (RCE) vulnerability, tracked as CVE-2024-29847, has been actively exploited, impacting Ivanti Endpoint Manager. The flaw allows attackers to execute arbitrary code on affected systems through insecure deserialization of untrusted data, a vulnerability rooted in the deprecated Microsoft .NET Remoting framework used by the Ivanti AgentPortal.exe service. This vulnerability affects systems running Ivanti Endpoint Manager prior to the 2022 SU6 and 2024 versions, making patching essential to mitigate the threat.

The attack method involves injecting a maliciously crafted object into the .NET Remoting framework’s communication process. Attackers exploit the deserialization process to gain control over file operations on the server, such as writing web shells or executing arbitrary commands. Security researcher Sina Kheirkhah, who identified the flaw, demonstrated that despite basic safeguards, attackers can bypass them using advanced techniques, significantly increasing the risk of exploitation in unpatched environments.

As the proof-of-concept (PoC) exploit is now publicly available, organizations using Ivanti Endpoint Manager are at heightened risk. With the availability of a detailed attack guide, it is expected that malicious actors will leverage this flaw to target vulnerable systems, particularly in environments where patching may be delayed. Ivanti has released security patches in September 2024 for both its 2022 and 2024 versions, and organizations are urged to apply these patches immediately as no workarounds are available.

This vulnerability follows a trend of escalating attacks on Ivanti's products, with several high-severity vulnerabilities already exploited in the wild. Earlier in 2024, Ivanti's Endpoint Manager Mobile product faced active exploitation of a critical authentication bypass flaw (CVE-2024-8190). These incidents underscore the importance of proactive patch management, especially given the popularity of Ivanti's endpoint management solutions in enterprise environments.

Given the nature of the exploit, managed service providers (MSPs) and their clients should prioritize patching affected systems. Additionally, implementing network segmentation and limiting access to critical services could provide further protection against potential attacks exploiting this and similar vulnerabilities. The continued targeting of Ivanti's software highlights the growing sophistication of threat actors and the increasing need for vigilant, timely response strategies.

?