Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2022-30121

CVE-2022-30121: Ivanti Endpoint Manager Privilege Escalation

CVE-2022-30121 is a privilege escalation vulnerability in Ivanti Endpoint Manager's LANDesk Management Agent that allows limited users to gain admin privileges. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2022-30121 Overview

CVE-2022-30121 is a local privilege escalation vulnerability in the Ivanti Endpoint Manager (formerly LANDesk) Management Agent service. The vulnerability exists because the LANDesk(R) Management Agent service exposes a socket that, once connected, allows the launching of commands for signed executables. This security flaw enables a limited user to escalate their privileges to administrator level on the affected system.

Critical Impact

Local attackers with low-level access can exploit this vulnerability to gain full administrative control over managed endpoints, potentially compromising the entire endpoint management infrastructure.

Affected Products

  • Ivanti Endpoint Manager (versions prior to patched releases)
  • Ivanti Endpoint Manager 2021.1.1
  • Ivanti Endpoint Manager 2021.1.1 SU1 and SU2

Discovery Timeline

  • 2022-09-23 - CVE-2022-30121 published to NVD
  • 2025-05-22 - Last updated in NVD database

Technical Details for CVE-2022-30121

Vulnerability Analysis

This vulnerability is classified under CWE-269 (Improper Privilege Management), indicating a fundamental flaw in how the LANDesk Management Agent handles privilege boundaries. The exposed socket interface accepts connections from local users and permits command execution through signed executables, but the privilege validation mechanism is insufficient to prevent abuse.

The attack requires local access to the target system. An attacker with standard user privileges can interact with the exposed socket to execute commands that should be restricted to administrative users. The vulnerability affects the confidentiality, integrity, and availability of the system, as successful exploitation grants the attacker full administrative control.

Root Cause

The root cause of CVE-2022-30121 lies in improper privilege management within the LANDesk Management Agent service. The service exposes a network socket that processes commands without adequately verifying whether the connecting user has the appropriate privileges to execute the requested operations. While the service implements signature verification for executables, it fails to properly validate the privilege level of the requesting user, allowing privilege escalation from limited user accounts to administrator.

Attack Vector

The attack vector for CVE-2022-30121 is local, meaning an attacker must already have access to the target system, even with limited user privileges. The exploitation process involves:

  1. A local user with limited privileges identifies the exposed LANDesk Management Agent socket
  2. The attacker connects to the socket interface
  3. Through the socket connection, the attacker sends commands that leverage the service's elevated privileges
  4. Since the service runs with high privileges and executes signed executables, the attacker can perform administrative actions
  5. The result is complete privilege escalation to administrator level on the affected endpoint

No verified proof-of-concept code is publicly available for this vulnerability. The exploitation mechanism relies on interacting with the LANDesk Management Agent's exposed socket interface to execute commands with elevated privileges. For detailed technical information, refer to the Ivanti Security Advisory.

Detection Methods for CVE-2022-30121

Indicators of Compromise

  • Unexpected socket connections to the LANDesk Management Agent service from non-administrative user accounts
  • Unusual command execution patterns originating from the Management Agent process
  • Privilege escalation events following interaction with the LDClient.exe or related LANDesk processes
  • New administrative accounts created without proper authorization workflows

Detection Strategies

  • Monitor process creation events where the parent process is the LANDesk Management Agent service
  • Implement endpoint detection rules for suspicious socket connections to local management agent services
  • Track user privilege changes that occur in proximity to LANDesk agent activity
  • Deploy behavioral analytics to identify anomalous command execution through endpoint management services

Monitoring Recommendations

  • Enable detailed logging for the LANDesk Management Agent service
  • Configure SIEM rules to correlate privilege escalation events with endpoint management agent activity
  • Implement file integrity monitoring on critical system files that could be modified post-exploitation
  • Monitor Windows Security Event logs for Event ID 4672 (Special privileges assigned to new logon) associated with LANDesk processes

How to Mitigate CVE-2022-30121

Immediate Actions Required

  • Apply the latest security patches from Ivanti for Endpoint Manager immediately
  • Audit all systems running Ivanti Endpoint Manager for signs of compromise
  • Restrict local access to systems where elevated privileges could be abused
  • Review user accounts on affected endpoints for unauthorized privilege escalations

Patch Information

Ivanti has released security updates to address CVE-2022-30121. Organizations should apply the patches as documented in the Ivanti Security Advisory for CVE-2022-30121. Ensure all Ivanti Endpoint Manager installations, including version 2021.1.1 and its service updates (SU1, SU2), are updated to the latest patched versions.

Workarounds

  • Implement strict access controls to limit which users can log into systems with the LANDesk Management Agent
  • Consider firewall rules to restrict access to the Management Agent socket where feasible
  • Deploy application whitelisting to monitor and control executables launched through the agent service
  • Implement network segmentation to limit lateral movement if an endpoint is compromised
bash
# Example: Verify Ivanti Endpoint Manager version (Windows)
# Check installed version via registry
reg query "HKLM\SOFTWARE\LANDesk\ManagementSuite\WinClient\Agent" /v "Version"

# Review Windows services related to LANDesk
sc query | findstr /i "landesk"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.