CVE-2024-29847

critical

Description

Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.

References

https://thehackernews.com/2024/09/ivanti-warns-of-active-exploitation-of.html

https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022?language=en_US

https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022?language=en_US&_gl=1*6frqvp*_gcl_au*MTIzMDUyNTU2My4xNzE4ODgyNzE0

https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022

Details

Source: Mitre, NVD

Published: 2024-09-12

Updated: 2024-09-12

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:A/AC:H/Au:N/C:C/I:C/A:C

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

CVSS v4

Base Score: 9

Vector: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H