> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.
Ivanti Endpoint Manager (EPM) is a widely used enterprise device management solution that provides features like software distribution, patching, and remote configuration. But in September 2024, a critical unauthenticated Remote Code Execution (RCE) vulnerability was disclosed in EPM β tracked as CVE-2024-29847.
This post explains the root cause, exploit potential, and how to mitigate the risk. If you're running Ivanti EPM, patching this should be your top priority.
Vulnerability Overview
The vulnerability resides in the AgentPortal service of Ivanti EPM. Specifically:
- The service starts with a
.NET Remoting TcpChannel
bound to a random port. - Security parameters are incorrectly configured:
- Secure mode is disabled
-
TypeFilterLevel
is set to Low
This setup opens the door to insecure deserialization attacks. An unauthenticated attacker on the network can send a crafted serialized payload to execute arbitrary code on the server β with no user interaction required.
Impact
If successfully exploited, an attacker can:
- Achieve remote code execution
- Gain full control of the target EPM server
- Exfiltrate sensitive data
- Deploy ransomware or malware across managed endpoints
Exploit maturity: Public POC available
Authentication required: None
Affected configuration: Default installs
User interaction required: None
Attack surface: Network-exposed AgentPortal service
Affected Versions
- Ivanti EPM 2022: Versions earlier than SU6
- Ivanti EPM 2024: Versions earlier than the September 2024 Update
Recommended Mitigation
1. Apply Security Patches
Ivanti has released updates for both 2022 and 2024 versions:
- For EPM 2022, upgrade to SU6 or newer
- For EPM 2024, upgrade to the September Update or later
Download the patch from Ivanti:
Ivanti Security Advisory
2. Restrict AgentPortal Access
As a temporary workaround, restrict network access to the AgentPortal service to trusted sources only.
Note: Since .NET Remoting
binds to a randomly selected port via TcpChannel(0)
, make sure your firewall or access control setup accounts for dynamic ports.
Detection and Support
- Yuntu: Supports fingerprinting of Ivanti EPM systems
- SafeLine: Does not apply (non-HTTP traffic)
- Quanxi: Detection rule package has been released to identify exploit behavior
Timeline
- Sep 10, 2024 β Ivanti publishes advisory and patch
- Sep 15, 2024 β Public proof-of-concept (POC) exploit released
- Sep 20, 2024 β Chaitin Emergency Response Center issues vulnerability alert
References
- Ivanti Security Advisory
- Summoning Team Blog: Exploiting CVE-2024-29847
- CVE-2024-29847 Exploit Code on GitHub
If your Ivanti Endpoint Manager server is publicly accessible or exposed on internal networks, this is a high-priority RCE you can't afford to ignore. Patch now, and audit for unusual activity.
Top comments (0)