CVE-2024-13168 Overview
CVE-2024-13168 is an out-of-bounds write vulnerability [CWE-787] in Ivanti Endpoint Manager (EPM). The flaw allows a remote unauthenticated attacker to trigger a denial-of-service condition over the network. Ivanti disclosed the issue in the January 2025 security advisory covering EPM 2024 and EPM 2022 SU6. The vulnerability affects EPM 2024 prior to the January-2025 Security Update and EPM 2022 SU6 prior to the January-2025 Security Update. No authentication or user interaction is required to exploit the flaw, lowering the barrier for opportunistic attacks against exposed management infrastructure.
Critical Impact
A remote, unauthenticated attacker can crash the Ivanti EPM service across the network, disrupting endpoint management operations enterprise-wide.
Affected Products
- Ivanti Endpoint Manager 2024 (prior to January-2025 Security Update)
- Ivanti Endpoint Manager 2022 SU1 through SU5
- Ivanti Endpoint Manager 2022 SU6 (prior to January-2025 Security Update)
Discovery Timeline
- 2025-01-14 - CVE-2024-13168 published to NVD
- 2025-01-14 - Ivanti releases January 2025 Security Advisory for EPM 2024 and EPM 2022 SU6
- 2025-07-11 - Last updated in NVD database
Technical Details for CVE-2024-13168
Vulnerability Analysis
The vulnerability is an out-of-bounds write [CWE-787] in Ivanti Endpoint Manager. Out-of-bounds writes occur when a program writes data past the end, or before the beginning, of an allocated buffer. In this case, the condition is reachable across the network without authentication. Successful exploitation corrupts adjacent memory and causes the targeted EPM service process to terminate.
The CVSS vector reports no impact to confidentiality or integrity. The availability impact is high, indicating the practical outcome is a service crash rather than code execution or data exposure. EPM is a centralized platform for software distribution, patching, and inventory, so loss of availability disrupts endpoint management workflows across the enterprise.
The EPSS score of 1.532% places this CVE in the 81st percentile of likelihood of exploitation observation. Ivanti products have repeatedly drawn attacker attention, and management servers exposed to broader networks remain attractive targets for disruption campaigns.
Root Cause
The root cause is improper validation of input length or bounds before writing into a fixed-size buffer within an EPM network-facing component. When attacker-controlled data exceeds the expected size, the write extends beyond the buffer boundary and corrupts memory the process depends on.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker with network reachability to the Ivanti EPM server sends a crafted request to the vulnerable service. Processing the request triggers the out-of-bounds write and crashes the service, producing a denial of service. No public proof-of-concept exploit is referenced in the available advisory data.
For technical specifics, see the Ivanti Security Advisory January 2025.
Detection Methods for CVE-2024-13168
Indicators of Compromise
- Unexpected termination or repeated restarts of Ivanti EPM service processes on the management server.
- Windows Application or System event log entries showing crash dumps for EPM binaries.
- Spikes in inbound traffic to EPM listening ports from unexpected external or internal sources.
- Loss of agent check-ins from managed endpoints coinciding with server-side service failures.
Detection Strategies
- Monitor EPM server processes for abnormal exits, access violations, and watchdog-triggered restarts.
- Inspect network telemetry for malformed or oversized requests targeting EPM management ports.
- Correlate EPM service crash events with concurrent inbound network sessions to identify probable trigger sources.
Monitoring Recommendations
- Forward EPM server Windows event logs and crash dumps to a centralized SIEM for retention and correlation.
- Alert on consecutive service restarts of EPM components within short time windows.
- Track agent connectivity metrics and trigger investigation when large groups of endpoints simultaneously stop reporting.
How to Mitigate CVE-2024-13168
Immediate Actions Required
- Apply the Ivanti EPM January-2025 Security Update for EPM 2024 or the January-2025 Security Update for EPM 2022 SU6.
- Restrict network access to Ivanti EPM management interfaces to administrative subnets only.
- Inventory all EPM servers and confirm patch level against the January 2025 advisory.
- Verify agent connectivity after patching to ensure no regression in endpoint check-ins.
Patch Information
Ivanti released fixes for this vulnerability in the January 2025 security update cycle. Customers on EPM 2024 must install the 2024 January-2025 Security Update. Customers on EPM 2022 must move to SU6 and apply the 2022 SU6 January-2025 Security Update. Refer to the Ivanti Security Advisory January 2025 for download links and prerequisite guidance.
Workarounds
- Place EPM servers behind network access controls that limit reachability to known administrative hosts.
- Use host-based firewalls on EPM servers to filter unsolicited traffic to management service ports.
- Implement rate limiting and connection thresholds on perimeter devices fronting EPM infrastructure.
- Monitor for service crashes and configure automatic restart with alerting until the patch is applied.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
