Back to overview

CVE-2024-29847

CRITICAL Exploitation: PoC
10.0
CVSS 3.0
Description
Deserialization of untrusted data in the agent portal of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution.

Metadata

CVE ID
CVE-2024-29847
State
PUBLISHED
Assigner
hackerone
Reserved
2024-03-21 01:04 UTC
Published
2024-09-12 01:09 UTC
Last updated
2024-09-17 03:55 UTC
Primary CWE
CWE-502
CWE-502 Deserialization of Untrusted Data
Vendor / Product
Ivanti / EPM
Sources
cve.org  ·  NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.0
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
yes
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
Ivanti EPM 2024 September Security Update < 2024 September Security Update, 2022 SU6 < 2022 SU6
Weakness (CWE)
CWESourceDescription
CWE-502 adp CWE-502 Deserialization of Untrusted Data
CVSS scores (1)
ScoreSeverityVersionSourceVector
10.0 CRITICAL 3.0 cna CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References (1)
Back to overview