Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2024-50329

CVE-2024-50329: Ivanti Endpoint Manager RCE Vulnerability

CVE-2024-50329 is a path traversal vulnerability in Ivanti Endpoint Manager that enables remote code execution by unauthenticated attackers. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2024-50329 Overview

CVE-2024-50329 is a path traversal vulnerability [CWE-22] in Ivanti Endpoint Manager (EPM). The flaw affects EPM 2024 versions prior to the November 2024 Security Update and EPM 2022 versions prior to SU6 November Security Update. A remote unauthenticated attacker can exploit the issue to achieve remote code execution on the affected server. Exploitation requires user interaction, which limits drive-by abuse but still permits social engineering driven attacks. Ivanti disclosed the issue in its November 2024 security advisory and shipped patched builds for both supported branches.

Critical Impact

An unauthenticated remote attacker can traverse outside the intended directory structure and execute arbitrary code on Ivanti Endpoint Manager, compromising confidentiality, integrity, and availability of managed endpoints.

Affected Products

  • Ivanti Endpoint Manager 2024 (prior to November 2024 Security Update)
  • Ivanti Endpoint Manager 2022 SU1 through SU5
  • Ivanti Endpoint Manager 2022 base release

Discovery Timeline

  • 2024-11-12 - CVE-2024-50329 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-50329

Vulnerability Analysis

The vulnerability resides in request handling logic within Ivanti Endpoint Manager, where user-supplied path components are not properly sanitized before being concatenated with server-side file operations. An attacker who crafts a request containing directory traversal sequences such as ../ can reach file system locations outside the intended scope. When combined with write or execution primitives in the targeted EPM component, the traversal escalates into remote code execution under the privileges of the EPM service account.

EPM typically runs with elevated privileges to manage agents across the enterprise. Successful exploitation therefore grants the attacker the ability to drop payloads, modify management policies, or pivot to downstream agents enrolled in the EPM environment. The Exploit Prediction Scoring System rates this issue in the upper percentile of likely-exploited CVEs, reflecting the appeal of management plane targets to ransomware and access broker operators.

Root Cause

The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. Input received over the network is incorporated into file path operations without canonicalization or normalization. Sequences that reference parent directories are not stripped, and there is no allow-list validation against an intended base directory before file I/O occurs.

Attack Vector

The vulnerability is reachable over the network and requires no prior authentication. The attacker must induce user interaction to complete exploitation, for example by convincing an administrator to open a crafted link or visit an attacker-controlled resource that triggers the malicious request flow against the EPM server. Once triggered, the attacker writes or executes content at an attacker-chosen file system location, leading to code execution on the management server.

No verified public proof-of-concept code is currently associated with this CVE. Defenders should refer to the Ivanti Security Advisory November 2024 for component-level technical details.

Detection Methods for CVE-2024-50329

Indicators of Compromise

  • HTTP requests to EPM endpoints containing encoded or raw traversal sequences such as ..%2f, ..\, or ../.
  • Unexpected files written outside standard EPM working directories, particularly in web-accessible paths or service binaries.
  • New or modified executables, scripts, or DLLs in EPM installation directories without an associated change ticket.
  • Outbound connections from the EPM server to unfamiliar hosts following inbound web traffic anomalies.

Detection Strategies

  • Inspect IIS and EPM application logs for URI patterns containing traversal characters or unusual filename extensions in request paths.
  • Hunt for child processes spawned by EPM service accounts that match command shells, scripting hosts, or LOLBins.
  • Correlate file creation events under the EPM installation directory with the originating process and parent network session.

Monitoring Recommendations

  • Enable verbose web server logging on the EPM management console and forward logs to a centralized analytics platform for path traversal pattern matching.
  • Baseline normal process trees for LANDesk and EPM service binaries, then alert on deviations such as cmd.exe, powershell.exe, or rundll32.exe descendants.
  • Monitor integrity of EPM binaries and configuration files with file integrity monitoring and alert on changes outside maintenance windows.

How to Mitigate CVE-2024-50329

Immediate Actions Required

  • Apply the November 2024 Security Update for EPM 2024 or the EPM 2022 SU6 November Security Update as documented by Ivanti.
  • Restrict network exposure of the EPM management console to trusted administrative networks and VPN segments.
  • Audit EPM servers for evidence of prior exploitation, including unexpected files in web-accessible directories and unusual service account activity.
  • Rotate credentials and API keys used by EPM if compromise is suspected.

Patch Information

Ivanti has released fixed builds for both supported branches. Refer to the Ivanti Security Advisory November 2024 for the specific version numbers, download locations, and upgrade prerequisites. Patching is the only complete remediation for this vulnerability.

Workarounds

  • No vendor-supplied workaround replaces the patch; prioritize upgrading affected EPM servers.
  • Place the EPM console behind a web application firewall configured to block requests containing path traversal sequences.
  • Limit administrator browsing on the EPM server itself to reduce the user-interaction exploitation surface.
  • Apply network segmentation so that the EPM server cannot initiate arbitrary outbound connections beyond required update and telemetry endpoints.
bash
# Example WAF rule concept to block traversal attempts against EPM endpoints
# Adapt to your WAF syntax (ModSecurity, Azure WAF, AWS WAF, etc.)
SecRule REQUEST_URI "@rx (\.\./|\.\.\\|%2e%2e%2f|%2e%2e/|\.\.%2f)" \
    "id:1005029,phase:1,deny,status:403,log,\
     msg:'Path traversal attempt against Ivanti EPM (CVE-2024-50329)'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne