PoC Exploit Released for Ivanti Endpoint Manager Vulnerabilities

A recent investigation into Ivanti Endpoint Manager (EPM) has uncovered four critical vulnerabilities that could allow unauthenticated attackers to exploit machine account credentials for relay attacks, potentially leading to server compromise.

These vulnerabilities, identified in the C:\Program Files\LANDesk\ManagementSuite\WSVulnerabilityCore.dll, were patched in January 2025 following their discovery in October 2024.

The vulnerabilities are categorized as follows:

1. CVE-2024-10811: Credential Coercion Vulnerability in GetHashForFile
2. CVE-2024-13161: Credential Coercion Vulnerability in GetHashForSingleFile
3. CVE-2024-13160: Credential Coercion Vulnerability in GetHashForWildcard
4. CVE-2024-13159: Credential Coercion Vulnerability in GetHashForWildcardRecursive

The vulnerabilities stem from the improper validation of user input in several methods within the VulCore class of the WSVulnerabilityCore namespace.

For instance, the GetHashForWildcardRecursive() method allows an attacker to manipulate the wildcard parameter, which can lead to the construction of a remote UNC path.

This exploitation enables attackers to coerce the EPM server into reading files from an arbitrary directory, thereby exposing sensitive data or facilitating further attacks.

Similarly, the GetHashForWildcard() and GetHashForSingleFile() methods exhibit comparable flaws.

The former permits unauthenticated users to construct paths that reach remote UNC locations, while the latter implies that it may accept UNC paths as input without any authentication checks.

Exploit Chain Enables Domain Takeover

The proof-of-concept (PoC) exploit demonstrates how attackers can leverage these vulnerabilities to achieve full domain compromise by chaining several well-known techniques:

1. Credential Harvesting: Attackers force the Ivanti EPM server to authenticate to a malicious SMB share by exploiting the vulnerable API endpoints. During this process, the server transmits its NTLMv2 credentials, which are captured using tools such as responder or impacket-ntlmrelayx.
2. LDAP Relay Attacks: The captured machine account credentials are then relayed to a domain controller via LDAP. This allows attackers to create unauthorized machine accounts with elevated privileges, including delegation rights.
3. Privilege Escalation: Using tools like getST.py, attackers forge Kerberos tickets to impersonate domain administrators. This grants access to critical services, such as CIFS, enabling further exploitation and lateral movement within the network.

In practical demonstrations, researchers were able to compromise an entire domain within minutes of initial access. This exploit chain highlights the severity of these vulnerabilities, as compromising a single EPM server could lead to control over all managed endpoints in the environment.

This lack of security measures poses significant risks, as attackers can leverage these endpoints to gain unauthorized access to critical functions within the EPM server.

In response to these vulnerabilities, Horizon3.ai has released a proof-of-concept (PoC) exploit demonstrating how these issues can be exploited in practical scenarios.

The PoC highlights various attack vectors, including relaying techniques that could allow attackers to create machine accounts or gain delegated admin access through NTLM relay attacks.

By using tools such as ntlmrelayx, attackers can relay requests to LDAP servers and add machine accounts with elevated privileges.

The timeline for this disclosure began on October 15, 2024, when the vulnerabilities were reported to Ivanti.

The company acknowledged receipt of the report the following day and validated the vulnerabilities shortly thereafter.

A patch was released on January 13, 2025, but public awareness of these critical issues only emerged with a blog post from Horizon3.ai on February 19, 2025.

Organizations utilizing Ivanti EPM are strongly advised to apply the latest patches and review their security configurations to mitigate potential exploitation risks.

The release of this PoC exploit serves as a stark reminder of the importance of robust input validation and authentication mechanisms in safeguarding against unauthorized access and data breaches.

As cybersecurity threats continue to evolve, proactive measures remain essential for maintaining secure environments.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here