CVE-2024-29847

CRITICAL

Ivanti EPM <2022 SU6-2024 September - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-29847. PoCs published by sinsinology.

AI-analyzed exploit summary This repository provides a writeup and usage instructions for exploiting CVE-2024-29847, a deserialization vulnerability in Ivanti Endpoint Manager AgentPortal leading to RCE. It includes a link to a detailed root cause analysis and mitigation steps.

Description

Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.

Exploits (2)

nomisec WRITEUP 18 stars

by sinsinology · poc

https://github.com/sinsinology/CVE-2024-29847

View Code ZIP pw:eip

This repository provides a writeup and usage instructions for exploiting CVE-2024-29847, a deserialization vulnerability in Ivanti Endpoint Manager AgentPortal leading to RCE. It includes a link to a detailed root cause analysis and mitigation steps.

Classification

Writeup 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Theoretical

Target: Ivanti Endpoint Manager AgentPortal

No auth needed

Prerequisites: Access to the vulnerable Ivanti Endpoint Manager AgentPortal instance

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

inthewild WORKING POC

poc

https://github.com/horizon3ai/cve-2024-29847

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-28324, which abuses a vulnerability in Ivanti EPM's AgentPortal.exe to execute arbitrary commands via a .NET Remoting TCP channel. The PoC demonstrates remote code execution by leveraging the IAgentPortal interface to send crafted requests.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ivanti EPM (AgentPortal.exe)

No auth needed

Prerequisites: Access to AgentPortal.exe and APCommon.dll from Ivanti EPM installation · Network access to the target system's TCP port (default: 49668)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory

https://forums.ivanti.com/s/article/Security-Advisory-EPM-September-2024-for-EPM-2024-and-EPM-2022

Scores

CVSS v3 9.8

EPSS 0.4822

EPSS Percentile 98.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-502

Status published

Products (3)

ivanti/endpoint_manager 2022 (6 CPE variants)

ivanti/endpoint_manager 2024

ivanti/endpoint_manager < 2022

Published Sep 12, 2024

Tracked Since Feb 18, 2026