CVE-2024-29847
published 2024-09-12CVE-2024-29847: Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to…
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
52.91%
98.8th percentile
Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | endpoint_manager | < 2022 | 2022 |
| ivanti | endpoint_manager | — | — |
| ivanti | endpoint_manager | — | — |
| ivanti | endpoint_manager | — | — |
| ivanti | epm | >= 2022 SU6 < 2022 SU6 | 2022 SU6 |
| ivanti | epm | >= 2024 September Security Update < 2024 September Security Update | 2024 September Security Update |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor AgentPortal.exe for inbound TCP connections on dynamically assigned ports with no security enforcement — this is the vulnerable .NET Remoting channel used in CVE-2024-29847 exploitation. ↗
- →Detect deserialization of crafted Hashtable objects containing serialized DirectoryInfo or FileInfo objects sent to the Ivanti EPM agent portal endpoint, which can trigger arbitrary file read/write including web shell drops. ↗
- →Alert on unexpected web shell files written to the Ivanti EPM core server, as the exploitation technique enables writing web shells via deserialized file operations. ↗
- →A public PoC exploit for CVE-2024-29847 has been released; prioritize detection of exploitation attempts against Ivanti EPM agent portal (unauthenticated remote attackers). ↗
- ·The vulnerable TCP channel uses dynamically assigned ports, meaning static port-based firewall rules or detection signatures cannot rely on a fixed port number for the Ivanti EPM agent portal. ↗
- ·At time of initial patch disclosure, Ivanti stated no known public exploitation or indicators of compromise were available, but a public PoC was subsequently released increasing exploitation risk. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qfx3-m2xp-3pcp: Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated atta
ghsa_unreviewed·2024-09-12
CVE-2024-29847 [CRITICAL] CWE-502 GHSA-qfx3-m2xp-3pcp: Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated atta
Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.
Ivanti
Ivanti Endpoint Manager Deserialization RCE
vendor_ivanti·CVSS 9.8
CVE-2024-29847 [CRITICAL] Ivanti Endpoint Manager Deserialization RCE
Ivanti Endpoint Manager Deserialization RCE
CVE IDs: CVE-2024-29847
Affected products: Endpoint Manager
No detection rules found.
No public exploits indexed.
Checkpoint
16th September – Threat Intelligence Report
blogs_checkpoint·2024-09-16
CVE-2024-43491 16th September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 16th September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 16th September, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The Port of Seattle has confirmed that the Rhysida ransomware group was responsible for a cyberattack in August 2024, which affected its critical systems, including Seattle-Tacoma International Airport. The ransomware attack caused major service disruptions, including outages in check-in systems, baggage handling, and
Bleepingcomputer
Exploit code released for critical Ivanti RCE flaw, patch now
blogs_bleepingcomputer·2024-09-16·CVSS 9.8
CVE-2024-29847 [CRITICAL] Exploit code released for critical Ivanti RCE flaw, patch now
## Exploit code released for critical Ivanti RCE flaw, patch now
## Bill Toulas
A proof-of-concept (PoC) exploit for CVE-2024-29847, a critical remote code execution (RCE) vulnerability in Ivanti Endpoint Manager, is now publicly released, making it crucial to update devices.
The flaw is a deserialization of untrusted data issue impacting Ivanti Endpoint Manager before 2022 SU6 and EPM 2024, which was fixed as part of the September 2024 update on September 10, 2024.
The vulnerability was discovered by security researcher Sina Kheirkhah ( @SinSinology ), who reported it through the Zero Day Initiative (ZDI) on May 1, 2024.
The same researcher has now published the full details on how CVE-2024-29847 can be exploited, which will likely fuel attacks in the wild.
## The CVE-2024-29847 fla
Bleepingcomputer
Ivanti fixes maximum severity RCE bug in Endpoint Management software
blogs_bleepingcomputer·2024-09-10·CVSS 8.8
CVE-2024-29847 [HIGH] Ivanti fixes maximum severity RCE bug in Endpoint Management software
## Ivanti fixes maximum severity RCE bug in Endpoint Management software
## Sergiu Gatlan
Ivanti has fixed a maximum severity vulnerability in its Endpoint Management software (EPM) that can let unauthenticated attackers gain remote code execution on the core server.
Ivanti EPM helps admins manage client devices that run various platforms, including Windows, macOS, Chrome OS, and IoT operating systems.
The security flaw (CVE-2024-29847) is caused by a deserialization of untrusted data weakness in the agent portal that has been addressed in Ivanti EPM 2024 hot patches and Ivanti EPM 2022 Service Update 6 (SU6).
"Successful exploitation could lead to unauthorized access to the EPM core server," the company said in an advisory published today.
For the moment, Ivanti added that they're "
Greynoiseio
NoiseLetter January 2025
blogs_greynoiseio
NoiseLetter January 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-09-12
Published