CVE-2024-29847: 
Ivanti Endpoint Manager vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-29847) was discovered in Ivanti Endpoint Manager (EPM), affecting versions before 2022 SU6 and the 2024 version prior to the September update. The vulnerability involves deserialization of untrusted data in the agent portal, which allows remote unauthenticated attackers to achieve remote code execution. The vulnerability was assigned a CVSS v3.1 score of 9.8 (Critical) by NIST and 10.0 by HackerOne (NVD, ZDI).

The vulnerability exists within the AgentPortal service of Ivanti EPM. The specific flaw stems from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. The vulnerability has been classified as CWE-502 (Deserialization of Untrusted Data). The issue allows attackers to execute code in the context of SYSTEM privileges (ZDI).

If successfully exploited, this vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager with SYSTEM level privileges. The attack does not require authentication, making it particularly dangerous for exposed systems (ZDI).

Ivanti has released security updates to address this vulnerability. Organizations running EPM 2024 should apply both July and September security patches, with a 2024 SU1 update to be released. For EPM 2022 users, upgrading to version 2022 SU6 is recommended (Arctic Wolf).