Proof-of-concept (PoC) exploit code for a critical vulnerability in Ivanti’s Endpoint Management (EPM) software has been released by the same cybersecurity researcher who discovered the flaw in May 2024. Along with the code, the researcher also released detailed instructions on how to exploit the flaw, claiming it only takes three seconds.
The flaw, designated CVE-2024-29847, is due to deserialization of untrusted data that, when exploited, could allow threat actors to execute remote code on the core EPM server.
When Ivanti patched the flaw in September 2024, it indicated that it hadn’t observed any exploitation of CVE-2024-29847 in the wild, nor was it aware of a PoC exploit being publicly available. Regardless, Ivanti recommended that users upgrade affected EPM deployments to the latest version as soon as possible.
Source: Bleeping Computer
Analysis
The release of exploit code and technical details for CVE-2024-29847 will likely result in the compromise of some EPM instances that remain unpatched. However, we can't be quick to blame the researcher for any potential compromises as the vulnerability was disclosed several months ago yet the patch was only deployed recently. The researcher likely had the code and technical details finalized in May and therefore had already been waiting some time to publish his research.
Releasing PoC exploit code can have severe repercussions, especially when published before organizations have time to patch. For example, in April 2024, an overly eager cybersecurity company released PoC exploit code and technical details for CVE-2024-1708, an authentication bypass flaw, and CVE-2024-1709, a path traversal flaw, in ConnectWise’s ScreenConnect servers just one day after the vulnerabilities were announced. This code, combined with the ease of identifying vulnerable ScreenConnect instances via online web scanners, led to mass exploitation and the deployment of ransomware and other malware on unpatched servers.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like Ivanti EPM. Field Effect MDR users are automatically notified if a vulnerable version of EPM is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends users of affected EPM appliances update to the latest version as soon as possible, in accordance with the advisory.
Related Articles
