Critical Vulnerability in Ivanti EPM: PoC for CVE-2024-13159 Released

February 25, 2025

Security expert Zach Hanley, associated with Horizon3.ai, has revealed the specifics and a proof-of-concept (PoC) for a high-severity vulnerability in Ivanti Endpoint Manager (EPM), designated as CVE-2024-13159. The flaw has been given a CVSS score of 9.8, indicating its critical nature and the necessity for immediate response.

Ivanti EPM, a .NET application, provides endpoint security and software management solutions for businesses. The vulnerability is located in the WSVulnerabilityCore.dll file, specifically in the VulCore class within the LANDesk.ManagementSuite.WSVulnerabilityCore namespace. The problem lies in the GetHashForWildcardRecursive method, which is intended to calculate hashes for files in a specified directory.

As per the report from Horizon3.ai, the vulnerability impacts the GetHashForWildcardRecursive method. Hanley states: “The GetHashForWildcardRecursive() method defined in this class expects a string argument called wildcard and is passed to HashCalculator.GetHashForWildcardRecursive().” The key issue is the method's handling of user-controlled input. The function Path.GetDirectoryName() processes user-provided data without sufficient validation, which is then merged using Path.Combine() to create a rootPath. This rootPath can be a remote UNC path, which poses a security risk, allowing attackers to manipulate the Ivanti EPM server into revealing confidential data.

A remote attacker, without requiring authentication, can exploit CVE-2024-13159 by sending a specially designed request to a vulnerable Ivanti EPM server. The vulnerability allows attackers to control the wildcard parameter and redirect hashing operations to an attacker-controlled UNC path, as demonstrated by Hanley. Exploiting this flaw, adversaries can deceive the EPM server into trying to authenticate with a malicious SMB server, which can then capture NTLM hashes from the targeted system. These hashes can subsequently be used for pass-the-hash attacks, enabling lateral movement within the network and potential privilege escalation.

Horizon3.ai has unveiled a PoC exploit showing how the CVE-2024-13159 vulnerability can be exploited by attackers. Ivanti EPM versions are vulnerable and Ivanti has released a security update in January 2025 to address the issue for all affected versions. Organizations using Ivanti EPM are advised to promptly update to the latest patched versions to mitigate this critical risk.

Latest News

• Critical Vulnerability in Everest Forms Plugin Threatens Over 100,000 WordPress Sites
• Google Researcher Discloses High-Risk Vulnerability in Palo Alto Networks' PAN-OS Firewall Software
• Ubiquiti UniFi Protect Cameras Vulnerable to Remote Hijacking: Critical Security Advisory Issued
• Windows Disk Cleanup Tool Vulnerability Allows SYSTEM Privileges Exploitation: CVE-2025-21420 Patched
• Critical Security Flaw in Juniper Session Smart Routers Allows Authentication Bypass