Ivanti Endpoint Manager (EPM) is a widely used enterprise solution for endpoint security and software management. In February 2025, security researcher Zach Hanley from Horizon3.ai disclosed a critical vulnerability in this product along with a proof-of-concept exploit. With a CVSS score of 9.8, this vulnerability poses a significant security risk to organizations that have deployed Ivanti EPM in their environment.
| Product | Ivanti Endpoint Manager |
| Date | 2025-03-06 15:14:56 |
| Information |
|
Technical Summary
The vulnerability is present in the WSVulnerabilityCore.dll file, specifically in the VulCore class within the LANDesk.ManagementSuite.WSVulnerabilityCore namespace. The GetHashForWildcardRecursive method, which calculates hashes for files in a specified directory, does not correctly validate user-controlled input.
When the method calls Path.GetDirectoryName() on this unvalidated input and combines it using Path.Combine(), it creates a rootPath variable that can be manipulated to point to a remote UNC path. An unauthenticated attacker can exploit this behavior by crafting a special request to redirect hashing operations toward an attacker-controlled SMB server.
This forces the EPM server to attempt authentication with the malicious server, allowing the attacker to capture NTLM hashes from the target system. The captured hashes can then be used for further attacks, including pass-the-hash techniques, to move laterally within the network and potentially escalate privileges.
Recommendations
Organizations using Ivanti EPM should immediately take the following actions:
- Update to the latest patched versions released by Ivanti in January 2025
- Implement network segmentation to limit outbound SMB traffic from EPM servers
- Monitor for suspicious authentication attempts and anomalous network connections from EPM servers
- Consider applying the principle of least privilege to the service accounts running EPM
- Deploy network detection rules to identify exploitation attempts targeting this vulnerability
[Callforaction-THREAT-Footer]
