CVE-2024-10811: Ivanti EPM Path Traversal Vulnerability

CVE-2024-10811 Overview

CVE-2024-10811 is an absolute path traversal vulnerability affecting Ivanti Endpoint Manager (EPM) that allows a remote unauthenticated attacker to leak sensitive information from vulnerable systems. This path traversal flaw enables attackers to access files outside the intended directory structure, potentially exposing configuration files, credentials, or other sensitive data stored on the EPM server.

Critical Impact
Remote unauthenticated attackers can exploit this path traversal vulnerability to access and exfiltrate sensitive information from Ivanti EPM servers without requiring any credentials or user interaction.

Affected Products

Ivanti Endpoint Manager 2024 (versions prior to January-2025 Security Update)
Ivanti Endpoint Manager 2022 (versions prior to SU6 January-2025 Security Update)
Ivanti Endpoint Manager 2022 SU1 through SU5

Discovery Timeline

2025-01-14 - CVE-2024-10811 published to NVD
2025-06-17 - Last updated in NVD database

Technical Details for CVE-2024-10811

Vulnerability Analysis

This vulnerability is classified as an Absolute Path Traversal (CWE-36) and Path Traversal (CWE-22) issue. The flaw exists in Ivanti Endpoint Manager's handling of file path inputs, where the application fails to properly sanitize or validate user-supplied path components. This allows attackers to craft malicious requests containing path traversal sequences that bypass intended directory restrictions.

The vulnerability can be exploited remotely over the network without requiring any authentication or user interaction. Successful exploitation results in unauthorized disclosure of sensitive information, though the integrity and availability of the affected system remain unaffected according to the vulnerability assessment.

Root Cause

The root cause stems from improper input validation when processing file paths within Ivanti EPM. The application does not adequately sanitize absolute path references, allowing attackers to specify arbitrary file system paths rather than being constrained to the application's intended working directories. This is a classic path traversal vulnerability where user input directly influences file system operations without proper boundary enforcement.

Attack Vector

The attack vector is network-based, requiring no authentication or privileges. An attacker can remotely send specially crafted HTTP requests to the vulnerable Ivanti EPM server containing absolute path references. The server processes these malicious paths without proper validation, enabling access to files outside the intended directory scope.

The exploitation flow involves:

Attacker identifies a vulnerable Ivanti EPM instance exposed to the network
Attacker crafts HTTP requests with absolute path traversal payloads targeting sensitive files
The EPM server processes the request without validating the file path boundaries
Sensitive file contents are returned to the attacker, resulting in information disclosure

For detailed technical analysis of this vulnerability and related Ivanti EPM credential coercion issues, refer to Horizon3's attack research blog.

Detection Methods for CVE-2024-10811

Indicators of Compromise

Unusual HTTP requests to Ivanti EPM endpoints containing path traversal sequences (e.g., absolute paths or ../ patterns)
Web server logs showing access attempts to sensitive system files such as configuration files or credential stores
Anomalous file access patterns from the EPM service process accessing files outside normal application directories
Network traffic showing large or unexpected data transfers from the EPM server to external hosts

Detection Strategies

Deploy web application firewall (WAF) rules to detect and block path traversal patterns in HTTP requests targeting Ivanti EPM
Monitor Ivanti EPM web server access logs for suspicious path sequences and requests to sensitive file paths
Implement network-based intrusion detection signatures for known path traversal attack patterns against EPM endpoints
Utilize endpoint detection and response (EDR) solutions to monitor file access activities by the EPM service

Monitoring Recommendations

Enable verbose logging on Ivanti EPM servers and forward logs to a SIEM for centralized analysis
Configure file integrity monitoring on critical system directories and configuration files accessible from the EPM server
Establish baseline network traffic patterns and alert on deviations indicating potential data exfiltration
Implement real-time alerting for failed access attempts and permission denied errors related to file operations

How to Mitigate CVE-2024-10811

Immediate Actions Required

Apply the Ivanti EPM 2024 January-2025 Security Update immediately for EPM 2024 installations
Apply the Ivanti EPM 2022 SU6 January-2025 Security Update for EPM 2022 installations
Restrict network access to Ivanti EPM management interfaces to trusted administrative networks only
Review access logs for any evidence of exploitation attempts prior to patching

Patch Information

Ivanti has released security updates addressing this vulnerability in the January 2025 security advisory. The patches are available for both EPM 2024 and EPM 2022 product lines:

EPM 2024: January-2025 Security Update
EPM 2022: SU6 January-2025 Security Update

Organizations should obtain and apply these patches from the official Ivanti Security Advisory for EPM January 2025.

Workarounds

Implement network segmentation to limit exposure of Ivanti EPM servers to untrusted networks
Deploy a reverse proxy or web application firewall in front of EPM servers configured to block path traversal patterns
Restrict inbound network access to EPM servers using firewall rules, allowing only authorized administrator IP addresses
Monitor and audit file system permissions on the EPM server to minimize the impact of potential information disclosure

bash

# Example: Restrict access to Ivanti EPM management port using firewall rules
# Windows Firewall example - restrict EPM access to admin subnet only
netsh advfirewall firewall add rule name="Restrict Ivanti EPM Access" dir=in action=allow protocol=tcp localport=443 remoteip=10.0.0.0/24
netsh advfirewall firewall add rule name="Block Ivanti EPM External" dir=in action=block protocol=tcp localport=443 remoteip=any

CVE-2024-10811 Overview

Critical Impact
Remote unauthenticated attackers can exploit this path traversal vulnerability to access and exfiltrate sensitive information from Ivanti EPM servers without requiring any credentials or user interaction.

Affected Products

Ivanti Endpoint Manager 2024 (versions prior to January-2025 Security Update)
Ivanti Endpoint Manager 2022 (versions prior to SU6 January-2025 Security Update)
Ivanti Endpoint Manager 2022 SU1 through SU5

Discovery Timeline

2025-01-14 - CVE-2024-10811 published to NVD
2025-06-17 - Last updated in NVD database

Technical Details for CVE-2024-10811

Vulnerability Analysis

Root Cause

Attack Vector

The exploitation flow involves:

Attacker identifies a vulnerable Ivanti EPM instance exposed to the network
Attacker crafts HTTP requests with absolute path traversal payloads targeting sensitive files
The EPM server processes the request without validating the file path boundaries
Sensitive file contents are returned to the attacker, resulting in information disclosure

For detailed technical analysis of this vulnerability and related Ivanti EPM credential coercion issues, refer to Horizon3's attack research blog.

Detection Methods for CVE-2024-10811

Indicators of Compromise

Unusual HTTP requests to Ivanti EPM endpoints containing path traversal sequences (e.g., absolute paths or ../ patterns)
Web server logs showing access attempts to sensitive system files such as configuration files or credential stores
Anomalous file access patterns from the EPM service process accessing files outside normal application directories
Network traffic showing large or unexpected data transfers from the EPM server to external hosts

Detection Strategies

Deploy web application firewall (WAF) rules to detect and block path traversal patterns in HTTP requests targeting Ivanti EPM
Monitor Ivanti EPM web server access logs for suspicious path sequences and requests to sensitive file paths
Implement network-based intrusion detection signatures for known path traversal attack patterns against EPM endpoints
Utilize endpoint detection and response (EDR) solutions to monitor file access activities by the EPM service

Monitoring Recommendations

Enable verbose logging on Ivanti EPM servers and forward logs to a SIEM for centralized analysis
Configure file integrity monitoring on critical system directories and configuration files accessible from the EPM server
Establish baseline network traffic patterns and alert on deviations indicating potential data exfiltration
Implement real-time alerting for failed access attempts and permission denied errors related to file operations

How to Mitigate CVE-2024-10811

Immediate Actions Required

Apply the Ivanti EPM 2024 January-2025 Security Update immediately for EPM 2024 installations
Apply the Ivanti EPM 2022 SU6 January-2025 Security Update for EPM 2022 installations
Restrict network access to Ivanti EPM management interfaces to trusted administrative networks only
Review access logs for any evidence of exploitation attempts prior to patching

Patch Information

Ivanti has released security updates addressing this vulnerability in the January 2025 security advisory. The patches are available for both EPM 2024 and EPM 2022 product lines:

EPM 2024: January-2025 Security Update
EPM 2022: SU6 January-2025 Security Update

Organizations should obtain and apply these patches from the official Ivanti Security Advisory for EPM January 2025.

Workarounds

Implement network segmentation to limit exposure of Ivanti EPM servers to untrusted networks
Deploy a reverse proxy or web application firewall in front of EPM servers configured to block path traversal patterns
Restrict inbound network access to EPM servers using firewall rules, allowing only authorized administrator IP addresses
Monitor and audit file system permissions on the EPM server to minimize the impact of potential information disclosure

bash

# Example: Restrict access to Ivanti EPM management port using firewall rules
# Windows Firewall example - restrict EPM access to admin subnet only
netsh advfirewall firewall add rule name="Restrict Ivanti EPM Access" dir=in action=allow protocol=tcp localport=443 remoteip=10.0.0.0/24
netsh advfirewall firewall add rule name="Block Ivanti EPM External" dir=in action=block protocol=tcp localport=443 remoteip=any

CVE-2024-10811: Ivanti EPM Path Traversal Vulnerability

CVE-2024-10811 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-10811

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-10811

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-10811

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2024-10811: Ivanti EPM Path Traversal Vulnerability

CVE-2024-10811 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2024-10811

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2024-10811

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2024-10811

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform