The Zero Day Initiative (ZDI) has now released advisories that detail 13 security flaws, currently unpatched, in Ivanti Endpoint Manager. These flaws include 12 Remote Code Executions (RCE) vulnerabilities and one local privilege escalation bug that could allow someone on the local system to escalate privileges to full admin control.
This exposure highlights persistent security weaknesses in the enterprise management platform, which remains widely deployed across corporate, healthcare, and government networks and has become a recurring target for state-sponsored threat actors.
The flaws affect multiple components of Endpoint Manager, including Report_RunPatch, MP_QueryDetail, PatchHistory, and OnSaveToDB. They stem from insufficient input validation, unsafe SQL query construction, and insecure deserialization, leaving the system open to potential compromise. All 13 of the noted vulnerabilities were uncovered and reported to Ivanti privately between June and November of 2024.
Vulnerability Details
The most critical issue is a directory traversal RCE bug in the OnSaveToDB method. This is where an attacker tricks the system into running malicious code, without needing to log in and with very little interaction. The other RCE flaws generally require the attacker to be authenticated first, but, if exploited, they let the attacker run code with the same permissions as the Endpoint Manager service, giving broad access to whatever that service can do. Separately, a deserialization vulnerability in the AgentPortal service stems from unsafe handling of serialized data, which could allow a local attacker to escalate to SYSTEM (full administrative) privileges.
While no CVE identifiers have been issued, ZDI rates the vulnerabilities as high severity, with CVSS scores ranging from 7.2 to 8.8. The highest-rated flaw affects file operations, permitting code execution if attackers have admin credentials or can trick a user into interacting with a malicious file or page.
Exploitation Risks
Though many flaws require authentication, Ivanti’s history of credential theft and state-sponsored attacks raises concerns about real-world exploitability. Chinese-linked groups, including Silk Typhoon and Houken, have previously leveraged Ivanti zero-days for high-profile intrusions, targeting U.S. Treasury systems and French government networks.
Mitigation and Defensive Measures
No patches are currently available for the newly disclosed vulnerabilities. Until Ivanti has released official patches, organizations are advised to take immediate steps to limit exposure, including:
- Restricting access to Endpoint Manager interfaces from the internet using VPNs or IP whitelisting
- Use a Web Application Firewall (WAF) or reverse proxy to validate and filter incoming requests
- Block unnecessary outbound connections from Ivanti servers to reduce the risk of command-and-control activity
- Apply least-privilege access controls for all accounts that interact with Endpoint Manager
An Ivanti spokesperson spoke to SecurityWeek about the complexity of the vulnerabilities and the ongoing efforts to address them, stating, “We have communicated to ZDI that the issues reported to Ivanti are complicated to fix and require additional time to resolve. We are in the middle of this work now, and we are looking at ways to further increase resources from other initiatives to accelerate this work.”
The representative added that due to the flaw being difficult to exploit, they do not pose a significant risk to customers, emphasizing the company’s commitment to delivering complete, robust fixes before public disclosure.
The Big Picture
The disclosure underscores the challenges of securing enterprise management platforms and the potential impact of unpatched vulnerabilities in widely used systems. Organizations relying on Ivanti Endpoint Manager should prioritize reducing attack surfaces, monitoring for unusual activity, and implementing defensive controls until patches are available.
Read More
