CVE-2024-29847

描述： Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.

---

CVE-2024-29847 is an unauthenticated deserialization of untrusted data remote code execution vulnerability in Ivanti Endpoint Manager (“EPM”). Ivanti EPM is used to manage computer endpoints across an organization, so it makes for an attractive and high-value target. Exploitation of CVE-2024-29847 involves interacting with a .NET remoting service, which dynamically selects a TCP port to listen on, in order to deserialize malicious data and establish a write-what-where exploit primitive on disk. The vulnerability has public PoC available, and it’s straightforward to exploit for remote code execution.

Ivanti EPM is often targeted by attackers and affords a lot of sensitive access to endpoints if compromised. I’ve rated ‘Attacker Value’ as ‘High’ to reflect this, and also to reflect the fact that the TCP remoting service port is dynamically selected and unlikely to commonly be exposed to the public internet. I’ve rated ‘Exploitability’ as ‘High’ as well, since CVE-2024-29847 is most likely to be exploitable in an adjacent network position context, but is very straightforward to exploit if the vulnerable service is reachable.