Ivanti Endpoint Manager: the management server that can be coerced into handing over credentials

Ivanti has appeared in this catalog across most of its product line, Connect Secure, EPMM, and EPM Cloud Services Appliance. Endpoint Manager (EPM), the on-prem fleet-management product, is the latest. CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161 (disclosed January 2025) are path-traversal/credential-coercion flaws, and CVE-2026-1603 continues the run. The shared mechanism: an unauthenticated attacker can coerce the EPM server into authenticating to a destination they control, then relay or capture those credentials, including the EPM machine account, which can lead to compromise of the server and the fleet it manages.

What they are

The 2024-13159/13160/13161 set are coercion-via-traversal bugs: by manipulating a path or triggering the server to fetch a resource, an attacker forces the EPM server to authenticate outbound, and relays that NTLM authentication (the same relay technique behind PetitPotam) or captures the credential. EPM is a privileged management server with broad reach over the endpoints it administers, so credential capture there is a foothold across the managed estate. CISA lists them with the ransomware flag; Ivanti patched them.

The pattern

This is the recurring management-server-and-coercion story: Ivanti’s management products keep yielding bugs, and coercion-plus-relay is a powerful technique because it doesn’t need a memory exploit, just the ability to make a privileged server authenticate where the attacker wants. The defenses combine patching with the same NTLM-relay hardening that defends against PetitPotam and similar:

What to do

• Patch Ivanti EPM to fixed versions for all of these, on an emergency cadence given Ivanti’s exploitation history.
• Get the EPM server off the internet and onto a management network; coercion bugs are most dangerous when the server is broadly reachable.
• Harden against NTLM relay. Enable SMB signing, Extended Protection for Authentication, and reduce NTLM use, so a coerced authentication can’t be relayed to useful targets.
• Treat EPM as tier-zero. It manages your endpoint fleet; least-privilege its service accounts and monitor it closely.
• Assume compromise on exposed, unpatched instances and rotate the EPM machine account and any credentials it could reach.

The reframe is consistent across Ivanti’s catalog appearances and across management software generally: the box that administers your fleet is a high-value target, and coercion-and-relay turns “reachable” into “credential theft” without an exploit chain. Patch EPM, get it off the open network, harden NTLM relay, and watch it like the privileged server it is. We track the Ivanti and management-server entries together, because they keep landing on the systems with the most reach.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• Ivanti security advisories (Endpoint Manager)
• NVD CVE-2024-13159 — 2025-01
• NVD CVE-2024-13161 — 2025-01