Ivanti EPM vulnerabilities actively exploited in the wild, CISA warns

Posted on by

Credential coercion

Hanley described the flaws as credential coercion issues because they could allow unauthenticated attackers to coerce the Ivanti EPM machine account credential to be used in NTLM relay attacks, which could in turn result in server compromise.

Ivanti EPM is an asset monitoring and management solution for enterprises that can manage a variety of desktop and mobile devices. The server component is an application written in .NET that exposes various API endpoints.

Hanley found that the input to several unauthenticated API endpoints was not properly sanitized and could be used to pass UNC absolute paths to several methods: GetHashForFile, GetHashForSingleFile, GetHashForWildcard and GetHashForWildcardRecursive — all of which had to do with obtaining hashes for files in specified directories.