Proof-of-Concept Exploit Released for Four Ivanti Vulnerabilities

Researchers from Horizon3.ai have published technical details and a proof-of-concept (PoC) exploit for four critical vulnerabilities in Ivanti Endpoint Manager. Initially disclosed and patched by Ivanti last month, these flaws could allow unauthenticated attackers to manipulate machine account credentials and launch relay attacks that may lead to server compromise.

The technical write-up, released on Wednesday, outlines how the vulnerabilities—identified as CVE-2024-10811, CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161—can be exploited to coerce credential data from various functions within Ivanti’s software. All four vulnerabilities have been assigned a high CVSS score of 9.8 due to their potential impact on system security.

According to Zach Hanley, chief attack engineer at Horizon3.ai, attackers could use these flaws to add machine accounts or relay delegated administrator access, which in turn would compromise all Endpoint Manager clients across an organization. Hanley noted that while the relay techniques employed are not new, demonstrating their applicability to Ivanti’s platform highlights the severity of the risk. He added that the complexity of the code base required significant effort to map the unauthenticated attack surface.

The vulnerabilities were first reported to Ivanti on October 15, and the vendor acknowledged the issues the following day. Ivanti responded swiftly, disclosing and releasing fixes for these as well as several other vulnerabilities on January 14. Horizon3.ai delayed the public release of the PoC for an additional 30 days post-patch release to allow customers ample time to update their systems.

Although there is no evidence that these vulnerabilities have been exploited in the wild, the availability of a PoC raises concerns. Ivanti products have increasingly become attractive targets for cybercriminals, with threat actors exploiting both zero-day and known vulnerabilities to gain access to networks and critical systems.

In response to the recent PoC release, an Ivanti spokesperson urged customers to apply the available patches immediately. “Ivanti disclosed and released fixes on January 14, which addresses these vulnerabilities, and there has been no evidence of exploitation to date. As new information in the public domain increases the risk of potential exploitation, we encourage any EPM customers that have not already patched according to Ivanti’s previously released instructions to do so immediately,” the spokesperson said.

As cyberattacks continue to evolve and target widely used enterprise tools, experts warn that organizations must remain vigilant by promptly applying security patches and closely monitoring their systems for any unusual activity.

Photo Credit: DepositPhotos.com