CVE-2024-13165

CVE-2024-13165 is an out-of-bounds write vulnerability (CWE-787) affecting Ivanti Endpoint Manager (EPM) in versions prior to the January-2025 Security Update for EPM 2024 and the 2022 SU6 January-2025 Security Update. This flaw enables a remote unauthenticated attacker to trigger a denial of service condition. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its network accessibility, low attack complexity, and potential for significant availability disruption without requiring privileges or user interaction.

A remote unauthenticated attacker can exploit this vulnerability over the network by sending specially crafted requests that cause an out-of-bounds write in the affected EPM components. Successful exploitation results in a denial of service, potentially crashing the service and disrupting endpoint management operations for affected environments.

Ivanti's security advisory recommends applying the January-2025 Security Update for EPM 2024 or the 2022 SU6 January-2025 Security Update to mitigate the vulnerability. Additional details are available in the official advisory at https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6.