Multiple vulnerabilities in Ivanti Endpoint Manager
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 16 |
| CVE-ID | CVE-2024-13168 CVE-2024-13162 CVE-2024-13163 CVE-2024-13164 CVE-2024-13165 CVE-2024-13166 CVE-2024-13167 CVE-2024-13169 CVE-2024-10811 CVE-2024-13170 CVE-2024-13171 CVE-2024-13172 CVE-2024-13158 CVE-2024-13159 CVE-2024-13160 CVE-2024-13161 |
| CWE-ID | CWE-787 CWE-89 CWE-502 CWE-908 CWE-843 CWE-36 CWE-434 CWE-347 CWE-22 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Endpoint Manager Server applications / IDS/IPS systems, Firewalls and proxy servers |
| Vendor | Ivanti |
Security Bulletin
This security bulletin contains information about 16 vulnerabilities.
1) Out-of-bounds write
EUVDB-ID: #VU102842
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-13168
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
Description The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when processing untrusted input within the AlertService. A remote attacker can send specially crafted data to the application, trigger an out-of-bounds write and perform a denial of service (DoS) attack.
Install updates from vendor's website.
Vulnerable software versionsEndpoint Manager: before 2022 SU6 January-2025 Update
CPE2.3 External linkshttp://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US
http://www.zerodayinitiative.com/advisories/ZDI-25-035/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) SQL injection
EUVDB-ID: #VU102849
Risk: Low
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-13162
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data within the updateAssetInfo method. A remote privileged user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Note, the vulnerability exists due to incomplete fix for #VU97132 (CVE-2024-32848).
Install updates from vendor's website.
Vulnerable software versionsEndpoint Manager: before 2022 SU6 January-2025 Update
CPE2.3 External linkshttp://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US
http://www.zerodayinitiative.com/advisories/ZDI-25-041/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Deserialization of Untrusted Data
EUVDB-ID: #VU102848
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-13163
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data within the DecodeBase64Object method. A remote attacker can trick the victim into passing specially crafted data to the application and execute arbitrary code on the target system.
Install updates from vendor's website.
Vulnerable software versionsEndpoint Manager: before 2022 SU6 January-2025 Update
CPE2.3 External linkshttp://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US
http://www.zerodayinitiative.com/advisories/ZDI-25-040/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Use of uninitialized resource
EUVDB-ID: #VU102847
Risk: Low
CVSSv4.0: [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-13164
CWE-ID:
CWE-908 - Use of Uninitialized Resource
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to usage of uninitialized resources within the AlertService. A local user can disclose stored credentials and execute arbitrary code with elevated privileges.
Install updates from vendor's website.
Vulnerable software versionsEndpoint Manager: before 2022 SU6 January-2025 Update
CPE2.3 External linkshttp://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US
http://www.zerodayinitiative.com/advisories/ZDI-25-039/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Out-of-bounds write
EUVDB-ID: #VU102845
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-13165
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
Description The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when processing untrusted input within the AlertService. A remote attacker can send specially crafted data to the application, trigger an out-of-bounds write and perform a denial of service (DoS) attack.
Install updates from vendor's website.
Vulnerable software versionsEndpoint Manager: before 2022 SU6 January-2025 Update
CPE2.3 External linkshttp://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US
http://www.zerodayinitiative.com/advisories/ZDI-25-038/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Out-of-bounds write
EUVDB-ID: #VU102844
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-13166
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
Description The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when processing untrusted input within the AlertService. A remote attacker can send specially crafted data to the application, trigger an out-of-bounds write and perform a denial of service (DoS) attack.
Install updates from vendor's website.
Vulnerable software versionsEndpoint Manager: before 2022 SU6 January-2025 Update
CPE2.3 External linkshttp://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US
http://www.zerodayinitiative.com/advisories/ZDI-25-037/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Out-of-bounds write
EUVDB-ID: #VU102843
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-13167
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
Description The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when processing untrusted input within the AlertService. A remote attacker can send specially crafted data to the application, trigger an out-of-bounds write and perform a denial of service (DoS) attack.
Install updates from vendor's website.
Vulnerable software versionsEndpoint Manager: before 2022 SU6 January-2025 Update
CPE2.3 External linkshttp://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US
http://www.zerodayinitiative.com/advisories/ZDI-25-036/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Type Confusion
EUVDB-ID: #VU102846
Risk: Low
CVSSv4.0: [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-13169
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a type confusion error within the AlertService. A local user can disclose stored credentials and execute arbitrary code with elevated privileges.
Install updates from vendor's website.
Vulnerable software versionsEndpoint Manager: before 2022 SU6 January-2025 Update
CPE2.3 External linkshttp://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US
http://www.zerodayinitiative.com/advisories/ZDI-25-034/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Absolute Path Traversal
EUVDB-ID: #VU102834
Risk: High
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-10811
CWE-ID:
CWE-36 - Absolute Path Traversal
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient input validation. A remote non-authenticated attacker can view contents of arbitrary files on the system and use the obtain information to execute arbitrary code.
Install updates from vendor's website.
Vulnerable software versionsEndpoint Manager: before 2022 SU6 January-2025 Update
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Out-of-bounds write
EUVDB-ID: #VU102841
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-13170
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
Description The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error when processing untrusted input within the AlertService. A remote attacker can send specially crafted data to the application, trigger an out-of-bounds write and perform a denial of service (DoS) attack.
Install updates from vendor's website.
Vulnerable software versionsEndpoint Manager: before 2022 SU6 January-2025 Update
CPE2.3 External linkshttp://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US
http://www.zerodayinitiative.com/advisories/ZDI-25-033/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Arbitrary file upload
EUVDB-ID: #VU102840
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-13171
CWE-ID:
CWE-434 - Unrestricted Upload of File with Dangerous Type
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of filename during file upload. A remote attacker can trick the victim into uploading a specially crafted file and execute arbitrary code on the system.
Install updates from vendor's website.
Vulnerable software versionsEndpoint Manager: before 2022 SU6 January-2025 Update
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Improper verification of cryptographic signature
EUVDB-ID: #VU102839
Risk: Medium
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2024-13172
CWE-ID:
CWE-347 - Improper Verification of Cryptographic Signature
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to improper certificate validation within the HIIDriver class. A remote attacker can trick the victim into using a specially crafted file to execute arbitrary code on the system.
Install updates from vendor's website.
Vulnerable software versionsEndpoint Manager: before 2022 SU6 January-2025 Update
CPE2.3 External linkshttp://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US
http://www.zerodayinitiative.com/advisories/ZDI-25-032/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Path traversal
EUVDB-ID: #VU102838
Risk: Low
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2024-13158
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges within the application.
The vulnerability exists due to input validation error when processing directory traversal sequences within the MyResolveEventHandler method. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
Successful exploitation of the vulnerability may lead to privilege escalation.
Install update from vendor's website.
Vulnerable software versionsEndpoint Manager: before 2022 SU6 January-2025 Update
CPE2.3 External linkshttp://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US
http://www.zerodayinitiative.com/advisories/ZDI-25-031/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Absolute Path Traversal
EUVDB-ID: #VU102837
Risk: High
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-13159
CWE-ID:
CWE-36 - Absolute Path Traversal
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient input validation. A remote non-authenticated attacker can view contents of arbitrary files on the system and use the obtain information to execute arbitrary code.
Install updates from vendor's website.
Vulnerable software versionsEndpoint Manager: before 2022 SU6 January-2025 Update
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Absolute Path Traversal
EUVDB-ID: #VU102836
Risk: High
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-13160
CWE-ID:
CWE-36 - Absolute Path Traversal
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient input validation. A remote non-authenticated attacker can view contents of arbitrary files on the system and use the obtain information to execute arbitrary code.
Install updates from vendor's website.
Vulnerable software versionsEndpoint Manager: before 2022 SU6 January-2025 Update
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Absolute Path Traversal
EUVDB-ID: #VU102835
Risk: High
CVSSv4.0: [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2024-13161
CWE-ID:
CWE-36 - Absolute Path Traversal
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient input validation. A remote non-authenticated attacker can view contents of arbitrary files on the system and use the obtain information to execute arbitrary code.
Install updates from vendor's website.
Vulnerable software versionsEndpoint Manager: before 2022 SU6 January-2025 Update
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
