Ivanti Endpoint Manager Absolute Path Traversal Vulnerability Allowing Information Disclosure

A path traversal vulnerability has been identified in Ivanti Endpoint Manager (EPM) versions prior to the January 2025 Security Update for both the 2024 release and the 2022 SU6 release. This vulnerability allows remote, unauthenticated attackers to access and leak sensitive information by exploiting the application's failure to properly validate file paths. The issue arises in the WSVulnerabilityCore.dll component, where certain web API endpoints can be manipulated to read files from the server's file system.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information, potentially including machine account credentials, which could be used in relay attacks to compromise the EPM server or its clients.

Reproduction

The vulnerability can be reproduced by sending a request to the 'GetHashForWildcardRecursive' endpoint with a crafted 'wildcard' parameter that includes a remote UNC path. This will cause the EPM server to read files from the specified location and calculate their hashes, effectively leaking the file contents. Similar exploitation can be done through the 'GetHashForWildcard' and 'GetHashForSingleFile' endpoints, taking advantage of the same path traversal flaw.

Remediation

Users should apply the January 2025 Security Update for Ivanti Endpoint Manager. Hot patches are available for both EPM 2024 and EPM 2022 SU6. Instructions for applying these patches can be found on the Ivanti Community.