CVE-2024-29847: Ivanti EPM RCE Under Active Exploitation - Patch Now
- [01] Unauthenticated attackers are exploiting a critical vulnerability in Ivanti Endpoint Manager to gain full control of affected servers.
- [02] This vulnerability affects Ivanti EPM 2022 SU6 and all previous versions, specifically targeting the agent portal.
- [03] Organizations should prioritize applying the security hotfix for EPM 2022 SU6 provided by Ivanti to eliminate the attack vector.
The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting Ivanti Endpoint Manager (EPM) to its Known Exploited Vulnerabilities (KEV) catalog. Identified as CVE-2024-29847, this CVE represents a significant threat to enterprise environments, as it allows for unauthenticated RCE on vulnerable management servers. According to BleepingComputer, federal agencies have been ordered to remediate their systems by October 23, 2024, highlighting the urgency for private sector organizations to follow suit.
Technical Analysis of CVE-2024-29847
The vulnerability is rooted in the deserialization of untrusted data within the Ivanti EPM agent portal. With a CVSS score of 9.8, the flaw is categorized as critical because it does not require user interaction or elevated privileges to exploit. An attacker can send a specially crafted request to the agent portal, which, when processed, leads to the execution of arbitrary code with the same privileges as the EPM service.
Ivanti EPM is used by organizations to manage and secure a vast array of devices across their network. Because these servers often have broad visibility and control over internal assets, a compromise can serve as a beachhead for Lateral Movement or the deployment of Ransomware. The ability to execute code remotely without authentication bypasses traditional perimeter defenses, making it a highly attractive target for various threat actors.
Exploitation Trends and Identification
While specific attribution to a known APT group has not yet been confirmed in the public domain, the inclusion of the flaw in the CISA KEV catalog confirms that active exploitation is occurring. Security teams should prioritize determining how to detect CVE-2024-29847 exploit attempts by auditing web server logs for unusual activity originating from the agent portal. Indicators of compromise may include unexpected child processes spawned by the EPM web service or connections to unknown C2 infrastructure.
Defense-in-depth strategies, including the use of EDR and SIEM platforms, are essential for identifying post-exploitation behavior. Security analysts in the SOC should monitor for unauthorized Privilege Escalation attempts following any suspicious interaction with the Ivanti management console.
Ivanti EPM 2022 SU6 RCE mitigation and Patching
The primary method for remediation is the application of the official security updates. Ivanti addressed this flaw in the EPM 2022 SU6 Hotfix. Organizations running version 2022 SU6 or earlier must apply this update immediately. For those who cannot patch immediately, temporary Ivanti Endpoint Manager vulnerability patch guidance includes restricting access to the agent portal.
Administrators should limit access to the EPM management interface to trusted internal IP addresses and implement Zero Trust principles to ensure that only authorized administrators can reach the management server. Furthermore, checking for any unauthorized local accounts or modifications to system configurations can help identify if a server was compromised prior to patching. Given the history of targeted attacks against Ivanti products over the past year, a proactive and thorough response is necessary to maintain organizational security.
Advertisement