CVE-2024-29847: Ivanti Endpoint Manager RCE Patch and Detection Guide

Ivanti has issued a critical security advisory regarding multiple vulnerabilities in its Endpoint Manager (EPM) product, the most severe of which is a CVE assigned as CVE-2024-29847. According to SANS ISC, this vulnerability stems from the deserialization of untrusted data within the agent portal, allowing an unauthenticated attacker on the same network to execute arbitrary code with SYSTEM-level privileges. Given the CVSS score of 9.8, this flaw represents a significant risk to enterprise infrastructure.

Technical Analysis of CVE-2024-29847 and Related Flaws

The core of the issue resides in how Ivanti EPM processes serialized objects. An attacker can transmit a specially crafted packet to the EPM core server without needing any valid credentials. Upon processing this packet, the server executes the embedded malicious payload, resulting in an immediate RCE. Because EPM is designed to manage large fleets of devices, the central management server is a high-value target for Lateral Movement. Once the server is compromised, an attacker can push malicious software, including Ransomware, to every connected endpoint, effectively turning the management tool into a platform for a Supply Chain Attack.

In addition to the deserialization flaw, Ivanti disclosed several SQL injection vulnerabilities, such as CVE-2024-32840. While these typically require authentication, they still allow for Privilege Escalation and code execution, further broadening the TTPs available to an internal threat actor or an external attacker who has already obtained limited access via Phishing.

Impact on Enterprise Security Operations

For a SOC, the discovery of such vulnerabilities in an endpoint management solution is particularly concerning. These tools are often excluded from certain security restrictions to allow for software deployment and system maintenance. If an APT group gains control of the EPM server, they can bypass standard Zero Trust architectures and deploy a C2 framework across the entire organization.

Security teams must assume that sophisticated actors will attempt to weaponize these flaws quickly. Because this is not a Zero-Day anymore, public proof-of-concept code may soon be available, lowering the barrier for entry for less skilled attackers. Monitoring for IoC evidence, such as unexpected child processes of the Ivanti EPM service (e.g., cmd.exe or powershell.exe), is a priority.

How to Detect CVE-2024-29847 Exploit Attempts

To effectively how to detect CVE-2024-29847 exploit signatures, defenders should examine their SIEM logs for unusual incoming traffic to the EPM agent portal ports. Specifically, look for large POST requests or unusual binary data in the traffic streams. Furthermore, EDR telemetry on the EPM core server should be scrutinized for any unauthorized database queries or modifications to the web root directory that might indicate a successful exploit attempt followed by a web shell deployment. This aligns with the MITRE ATT&CK technique T1190 (Exploit Public-Facing Application).

Ivanti Endpoint Manager 2024 Patch Guidance and Remediation

The most effective way to mitigate Ivanti EPM remote code execution is to apply the security updates provided by the vendor. Organizations should follow the official Ivanti Endpoint Manager 2024 patch guidance by upgrading to the latest hotfix releases for EPM 2022 or EPM 2024.

If immediate patching is not possible, network-level micro-segmentation should be employed to restrict access to the EPM core server. Only known, authorized administrator IPs and managed endpoints should be allowed to communicate with the management portal. This reduces the attack surface and prevents unauthenticated actors from reaching the vulnerable deserialization endpoint.