CVE-2024-13165 Overview
CVE-2024-13165 is an out-of-bounds write vulnerability [CWE-787] affecting Ivanti Endpoint Manager (EPM). The flaw allows a remote, unauthenticated attacker to trigger a denial-of-service condition over the network. Ivanti disclosed the issue in its January 2025 security advisory covering EPM 2024 and EPM 2022 SU6.
The vulnerability requires no authentication and no user interaction. Exploitation impacts availability only, with no direct confidentiality or integrity consequences according to the published CVSS vector. Administrators managing endpoints through Ivanti EPM should treat this as a priority patch given the unauthenticated network attack surface.
Critical Impact
A remote unauthenticated attacker can cause a denial of service against Ivanti EPM servers, disrupting endpoint management operations across the enterprise.
Affected Products
- Ivanti Endpoint Manager 2024 prior to the January-2025 Security Update
- Ivanti Endpoint Manager 2022 SU6 prior to the January-2025 Security Update
- Ivanti Endpoint Manager 2022 releases SU1 through SU5
Discovery Timeline
- 2025-01-14 - CVE-2024-13165 published to NVD alongside the Ivanti EPM January 2025 Security Advisory
- 2025-07-11 - Last updated in the NVD database
Technical Details for CVE-2024-13165
Vulnerability Analysis
The vulnerability is an out-of-bounds write in Ivanti Endpoint Manager. The product writes data past the end of an allocated buffer when processing attacker-controlled input received over the network. The write corrupts adjacent memory, leading to a process crash and loss of endpoint management availability.
The CVSS vector indicates the attack is network-reachable, requires no privileges, and needs no user interaction. The impact is limited to availability, which is consistent with a memory corruption primitive that crashes the service rather than yielding code execution. The EPSS score of 1.532% places this vulnerability in the 81st percentile for likelihood of exploitation activity.
Root Cause
The root cause is improper validation of input size or boundary conditions before a memory write operation in an Ivanti EPM service component. Ivanti has not released technical specifics on the affected function. The CWE-787 classification confirms the underlying weakness is an out-of-bounds write rather than a read or use-after-free condition.
Attack Vector
An attacker sends a crafted network request to an exposed Ivanti EPM service endpoint. Because authentication is not required, any host able to reach the EPM management interface can attempt exploitation. Successful exploitation crashes the targeted service and disrupts endpoint management, software distribution, and patching workflows that depend on EPM availability.
No public proof-of-concept exploit code is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Ivanti Security Advisory January 2025 for vendor-provided technical context.
Detection Methods for CVE-2024-13165
Indicators of Compromise
- Unexpected crashes or service restarts of Ivanti EPM core services on the management server
- Windows Application or System event log entries referencing faulting modules within the EPM installation directory
- Sudden loss of agent check-ins from managed endpoints coinciding with EPM service termination
Detection Strategies
- Monitor process termination and restart events for Ivanti EPM service binaries on management servers
- Inspect network traffic to EPM listening ports for malformed or oversized request payloads from untrusted sources
- Correlate EPM service crashes with inbound connections from addresses outside the expected administrative subnet
Monitoring Recommendations
- Forward Windows event logs and Ivanti EPM application logs to a centralized SIEM for crash and exception analysis
- Enable alerting on repeated faults in EPM service processes within a short time window
- Track baseline agent connectivity counts and alert on abrupt drops that may indicate a server-side denial of service
How to Mitigate CVE-2024-13165
Immediate Actions Required
- Apply the Ivanti EPM 2024 January-2025 Security Update or the EPM 2022 SU6 January-2025 Security Update without delay
- Restrict network access to the Ivanti EPM management interface to trusted administrative networks using firewall rules
- Inventory all EPM instances, including non-production and disaster recovery deployments, to ensure complete patch coverage
Patch Information
Ivanti released fixes in the January 2025 security update cycle. Customers running EPM 2024 must install the 2024 January-2025 Security Update, and customers on the 2022 branch must install 2022 SU6 with the January-2025 Security Update. Earlier 2022 service updates (SU1 through SU5) are not patched and should be upgraded to SU6 before applying the security update. Full details are available in the Ivanti Security Advisory January 2025.
Workarounds
- Place the EPM management server behind a VPN or restricted management VLAN to remove direct internet exposure
- Apply host-based firewall rules limiting inbound connections to known administrative source addresses
- Increase service recovery settings so that EPM services automatically restart if crashed, reducing operational impact while patching is scheduled
# Example Windows firewall rule restricting EPM management port access to a trusted subnet
New-NetFirewallRule -DisplayName "Restrict Ivanti EPM Management" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 443 `
-RemoteAddress 10.10.20.0/24 `
-Action Allow
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
