CVE-2023-28324

CRITICAL

Ivanti Endpoint Manager < 2022 - Privilege Escalation or Remote Code Execution

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-28324. PoCs published by horizon3ai, James Horseman, Zach Hanley, Spencer McIntyre, including Metasploit module exploits/windows/misc/ivanti_agent_portal_cmdexec.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-28324, which abuses a vulnerability in Ivanti EPM's AgentPortal.exe to execute arbitrary commands via .NET Remoting. The PoC demonstrates remote code execution by leveraging the IAgentPortal interface to send crafted requests.

Description

A improper input validation vulnerability exists in Ivanti Endpoint Manager 2022 and below that could allow privilege escalation or remote code execution.

Exploits (2)

nomisec WORKING POC 20 stars

by horizon3ai · poc

https://github.com/horizon3ai/CVE-2023-28324

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-28324, which abuses a vulnerability in Ivanti EPM's AgentPortal.exe to execute arbitrary commands via .NET Remoting. The PoC demonstrates remote code execution by leveraging the IAgentPortal interface to send crafted requests.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ivanti Endpoint Manager (EPM)

No auth needed

Prerequisites: Access to AgentPortal.exe and APCommon.dll from an Ivanti EPM installation · Network access to the target system on the specified port

MITRE ATT&CK

T1021.002 - SMB/Windows Admin Shares T1059.001 - PowerShell

devstral-2 · analyzed Feb 18, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by James Horseman, Zach Hanley, Spencer McIntyre · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/ivanti_agent_portal_cmdexec.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated RCE vulnerability in Ivanti EPM Agent Portal by leveraging a .NET Remoting (MS-NRTP) interface to execute arbitrary commands as NT AUTHORITY\SYSTEM. The exploit constructs serialized .NET objects to invoke the 'Request' method, which spawns a command shell.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ivanti EPM Agent Portal (versions prior to EPM 2021.1 Su4 and EPM 2022 Su2)

No auth needed

Prerequisites: Network access to the target's Ivanti EPM Agent Portal service · Knowledge of the non-static target port

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory

https://forums.ivanti.com/s/article/SA-2023-06-06-CVE-2023-28324

Scores

CVSS v3 9.8

EPSS 0.1177

EPSS Percentile 95.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-20

Status published

Products (1)

ivanti/endpoint_manager < 2022

Published Jul 01, 2023

Tracked Since Feb 18, 2026