Ivanti Endpoint Manager Cloud Service Appliance Code Injection Vulnerability Leading to Remote Code Execution

A code injection vulnerability has been identified in Ivanti Endpoint Manager Cloud Service Appliance (CSA) versions 4.5 and 4.6. This vulnerability allows an unauthenticated user to execute arbitrary code with limited permissions, specifically as the 'nobody' user. The issue arises from a cookie-based command injection that can be exploited by manipulating cookie values in HTTP requests.

Impact

Exploitation of this vulnerability allows for unauthorized remote code execution on the affected system, with the executed code running under the 'nobody' user account, which has limited permissions.

Reproduction

The vulnerability can be reproduced by sending a crafted HTTP GET request to 'client/index.php' with a manipulated 'e' cookie that includes a Base64-encoded command. The command is executed on the server, and the response can be parsed to confirm successful exploitation.