CVE-2024-29847: Critical RCE in Ivanti EPM via Insecure .NET Remoting

> About Author
Hi, I'm Sharon, a product manager at Chaitin Tech. We build SafeLine, an open-source Web Application Firewall built for real-world threats. While SafeLine focuses on HTTP-layer protection, our emergency response center monitors and responds to RCE and authentication vulnerabilities across the stack to help developers stay safe.

Ivanti Endpoint Manager (EPM) is a widely used enterprise device management solution that provides features like software distribution, patching, and remote configuration. But in September 2024, a critical unauthenticated Remote Code Execution (RCE) vulnerability was disclosed in EPM — tracked as CVE-2024-29847.

This post explains the root cause, exploit potential, and how to mitigate the risk. If you're running Ivanti EPM, patching this should be your top priority.

---

Vulnerability Overview

The vulnerability resides in the AgentPortal service of Ivanti EPM. Specifically:

• The service starts with a .NET Remoting TcpChannel bound to a random port.
• Security parameters are incorrectly configured:
  • Secure mode is disabled
  • TypeFilterLevel is set to Low

This setup opens the door to insecure deserialization attacks. An unauthenticated attacker on the network can send a crafted serialized payload to execute arbitrary code on the server — with no user interaction required.

---

Impact

If successfully exploited, an attacker can:

• Achieve remote code execution
• Gain full control of the target EPM server
• Exfiltrate sensitive data
• Deploy ransomware or malware across managed endpoints

Exploit maturity: Public POC available

Authentication required: None

Affected configuration: Default installs

User interaction required: None

Attack surface: Network-exposed AgentPortal service

---

Affected Versions

• Ivanti EPM 2022: Versions earlier than SU6
• Ivanti EPM 2024: Versions earlier than the September 2024 Update

---

Recommended Mitigation

1. Apply Security Patches

Ivanti has released updates for both 2022 and 2024 versions:

• For EPM 2022, upgrade to SU6 or newer
• For EPM 2024, upgrade to the September Update or later

Download the patch from Ivanti:

Ivanti Security Advisory

2. Restrict AgentPortal Access

As a temporary workaround, restrict network access to the AgentPortal service to trusted sources only.

Note: Since .NET Remoting binds to a randomly selected port via TcpChannel(0), make sure your firewall or access control setup accounts for dynamic ports.

---

Detection and Support

• Yuntu: Supports fingerprinting of Ivanti EPM systems
• SafeLine: Does not apply (non-HTTP traffic)
• Quanxi: Detection rule package has been released to identify exploit behavior

---

Timeline

• Sep 10, 2024 – Ivanti publishes advisory and patch
• Sep 15, 2024 – Public proof-of-concept (POC) exploit released
• Sep 20, 2024 – Chaitin Emergency Response Center issues vulnerability alert

---

References

• Ivanti Security Advisory
• Summoning Team Blog: Exploiting CVE-2024-29847
• CVE-2024-29847 Exploit Code on GitHub

---

If your Ivanti Endpoint Manager server is publicly accessible or exposed on internal networks, this is a high-priority RCE you can't afford to ignore. Patch now, and audit for unusual activity.

• GitHub Repository
• Official Docs
• Discord Community