Security researchers have discovered four critical vulnerabilities in Ivanti Endpoint Manager (EPM) that could allow unauthenticated attackers to potentially compromise server systems through credential relay attacks. The vulnerabilities were patched in Ivanti's January 2025 security update.
The flaws, tracked as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159, were identified by the Horizon3.ai Attack Team during their investigation of Ivanti vulnerabilities in October 2024. All four vulnerabilities center around credential coercion issues in different file hash calculation functions within the EPM server's WSVulnerabilityCore component.
"The vulnerabilities discovered allow an unauthenticated attacker to coerce the Ivanti EPM machine account credential to be used in relay attacks, potentially allowing for server compromise," the researchers explained in their detailed technical analysis.
The affected functions include GetHashForFile, GetHashForSingleFile, GetHashForWildcard, and GetHashForWildcardRecursive, all of which reside in the C:\Program Files\LANDesk\ManagementSuite\WSVulnerabilityCore.dll. The core issue stems from these unauthenticated endpoints failing to validate input properly, allowing attackers to manipulate file paths to point to remote UNC locations.
The research team demonstrated that successful exploitation could lead to serious security breaches, including creating unauthorized machine accounts and potentially compromising the entire EPM infrastructure. This is particularly concerning as compromising the EPM server could grant attackers access to all connected EPM clients.
Organizations using Ivanti Endpoint Manager are strongly advised to apply the January 2025 patch rollup to protect against these vulnerabilities. The researchers have also published the proof-of-concept exploit code for Ivanti EPM CVE-2024-13159 and others, which allows for unauthenticated coercion of the Ivanti EPM machine credential for use in relay attacks.
For technical teams interested in understanding the attack surface, the researchers provided detailed documentation of their findings, including code analysis and practical attack scenarios demonstrating various relay techniques that could be used to exploit these vulnerabilities in real-world environments.