A current investigation into Ivanti Endpoint Supervisor (EPM) has uncovered 4 vital vulnerabilities that might permit unauthenticated attackers to use machine account credentials for relay assaults, doubtlessly resulting in server compromise.
These vulnerabilities, recognized within the C:Program FilesLANDeskManagementSuiteWSVulnerabilityCore.dll, had been patched in January 2025 following their discovery in October 2024.
The vulnerabilities are categorized as follows:
- CVE-2024-10811: Credential Coercion Vulnerability in GetHashForFile
- CVE-2024-13161: Credential Coercion Vulnerability in GetHashForSingleFile
- CVE-2024-13160: Credential Coercion Vulnerability in GetHashForWildcard
- CVE-2024-13159: Credential Coercion Vulnerability in GetHashForWildcardRecursive
The vulnerabilities stem from the improper validation of consumer enter in a number of strategies throughout the VulCore class of the WSVulnerabilityCore namespace.
As an example, the GetHashForWildcardRecursive() methodology permits an attacker to govern the wildcard parameter, which might result in the development of a distant UNC path.
This exploitation permits attackers to coerce the EPM server into studying recordsdata from an arbitrary listing, thereby exposing delicate information or facilitating additional assaults.
Equally, the GetHashForWildcard() and GetHashForSingleFile() strategies exhibit comparable flaws.
The previous permits unauthenticated customers to assemble paths that attain distant UNC places, whereas the latter implies that it could settle for UNC paths as enter with none authentication checks.
Exploit Chain Allows Area Takeover
The proof-of-concept (PoC) exploit demonstrates how attackers can leverage these vulnerabilities to attain full area compromise by chaining a number of well-known strategies:
- Credential Harvesting: Attackers power the Ivanti EPM server to authenticate to a malicious SMB share by exploiting the weak API endpoints. Throughout this course of, the server transmits its NTLMv2 credentials, that are captured utilizing instruments resembling
responderorimpacket-ntlmrelayx. - LDAP Relay Assaults: The captured machine account credentials are then relayed to a website controller by way of LDAP. This enables attackers to create unauthorized machine accounts with elevated privileges, together with delegation rights.
- Privilege Escalation: Utilizing instruments like
getST.py, attackers forge Kerberos tickets to impersonate area directors. This grants entry to vital companies, resembling CIFS, enabling additional exploitation and lateral motion throughout the community.
In sensible demonstrations, researchers had been capable of compromise a whole area inside minutes of preliminary entry. This exploit chain highlights the severity of those vulnerabilities, as compromising a single EPM server might result in management over all managed endpoints within the surroundings.
This lack of safety measures poses vital dangers, as attackers can leverage these endpoints to achieve unauthorized entry to vital capabilities throughout the EPM server.
In response to those vulnerabilities, Horizon3.ai has launched a proof-of-concept (PoC) exploit demonstrating how these points might be exploited in sensible situations.
The PoC highlights numerous assault vectors, together with relaying strategies that might permit attackers to create machine accounts or acquire delegated admin entry by NTLM relay assaults.
Through the use of instruments resembling ntlmrelayx, attackers can relay requests to LDAP servers and add machine accounts with elevated privileges.
The timeline for this disclosure started on October 15, 2024, when the vulnerabilities had been reported to Ivanti.
The corporate acknowledged receipt of the report the next day and validated the vulnerabilities shortly thereafter.
A patch was launched on January 13, 2025, however public consciousness of those vital points solely emerged with a weblog put up from Horizon3.ai on February 19, 2025.
Organizations using Ivanti EPM are strongly suggested to use the newest patches and overview their safety configurations to mitigate potential exploitation dangers.
The discharge of this PoC exploit serves as a stark reminder of the significance of sturdy enter validation and authentication mechanisms in safeguarding towards unauthorized entry and information breaches.
As cybersecurity threats proceed to evolve, proactive measures stay important for sustaining safe environments.
Free Webinar: Higher SOC with Interactive Malware Sandbox for Incident Response, and Risk Searching - Register Right here