cbcvebase.
CVE-2024-29847
published 2024-09-12

CVE-2024-29847: Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to…

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
52.91%
98.8th percentile
Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.

Affected

6 ranges
VendorProductVersion rangeFixed in
ivantiendpoint_manager< 20222022
ivantiendpoint_manager
ivantiendpoint_manager
ivantiendpoint_manager
ivantiepm>= 2022 SU6 < 2022 SU62022 SU6
ivantiepm>= 2024 September Security Update < 2024 September Security Update2024 September Security Update

Detection & IOCsextracted from sources · hover to see the quote

processAgentPortal.exe
  • Monitor AgentPortal.exe for inbound TCP connections on dynamically assigned ports with no security enforcement — this is the vulnerable .NET Remoting channel used in CVE-2024-29847 exploitation.
  • Detect deserialization of crafted Hashtable objects containing serialized DirectoryInfo or FileInfo objects sent to the Ivanti EPM agent portal endpoint, which can trigger arbitrary file read/write including web shell drops.
  • Alert on unexpected web shell files written to the Ivanti EPM core server, as the exploitation technique enables writing web shells via deserialized file operations.
  • A public PoC exploit for CVE-2024-29847 has been released; prioritize detection of exploitation attempts against Ivanti EPM agent portal (unauthenticated remote attackers).
  • ·The vulnerable TCP channel uses dynamically assigned ports, meaning static port-based firewall rules or detection signatures cannot rely on a fixed port number for the Ivanti EPM agent portal.
  • ·At time of initial patch disclosure, Ivanti stated no known public exploitation or indicators of compromise were available, but a public PoC was subsequently released increasing exploitation risk.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.