CVE-2022-30121: Privilege Escalation (CAPEC-233) in Ivanti Endpoint Manager
The “LANDesk(R) Management Agent” service exposes a socket and once connected, it is possible to launch commands only for signed executables. This is a security bug that allows a limited user to get escalated admin privileges on their system.
AI Analysis
Technical Summary
CVE-2022-30121 is a privilege escalation vulnerability identified in Ivanti Endpoint Manager version 11.0.1.951, specifically affecting the LANDesk Management Agent service. This service exposes a network socket that, when connected to, allows execution of commands restricted to signed executables. However, due to a security flaw, a limited user on the system can exploit this socket to escalate their privileges to administrative level. The vulnerability is categorized under CWE-269, which relates to improper privilege management. The attack vector is local (AV:L), requiring low attack complexity (AC:L) but high privileges (PR:H) to exploit, with no user interaction (UI:N) necessary. The scope remains unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). Although exploitation requires some level of existing privileges, the vulnerability allows an attacker with limited user rights to gain full administrative control, potentially leading to complete system compromise. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability was published on September 23, 2022, and has a CVSS v3.1 score of 6.7, indicating a medium severity level.
Potential Impact
For European organizations using Ivanti Endpoint Manager 11.0.1.951, this vulnerability poses a significant risk. An attacker with limited user access—such as a compromised internal account or a malicious insider—could leverage this flaw to gain administrative privileges on endpoint systems. This escalation could lead to unauthorized access to sensitive data, installation of persistent malware, disruption of endpoint management functions, and lateral movement within corporate networks. Given the high impact on confidentiality, integrity, and availability, critical business operations could be compromised. The lack of required user interaction facilitates stealthy exploitation once initial access is obtained. This threat is particularly concerning for sectors with stringent regulatory requirements such as finance, healthcare, and government agencies across Europe, where endpoint security is paramount. Additionally, organizations relying heavily on Ivanti Endpoint Manager for centralized endpoint control may face increased risk of widespread compromise if this vulnerability is exploited.
Mitigation Recommendations
European organizations should immediately audit their use of Ivanti Endpoint Manager to identify systems running version 11.0.1.951. Until an official patch is released, mitigation should focus on minimizing the attack surface by restricting local user access rights and monitoring for unusual socket connections to the LANDesk Management Agent service. Implement strict access controls and segment networks to limit lateral movement from compromised endpoints. Employ application whitelisting and endpoint detection and response (EDR) solutions to detect anomalous command executions, especially those involving signed executables launched via the exposed socket. Regularly review and tighten privilege assignments to ensure users have only necessary permissions. Additionally, organizations should engage with Ivanti support for updates or workarounds and prepare to deploy patches promptly once available. Conduct internal awareness training to recognize potential exploitation signs and maintain robust logging and alerting on endpoint management activities.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Poland, Sweden
CVE-2022-30121: Privilege Escalation (CAPEC-233) in Ivanti Endpoint Manager
Description
The “LANDesk(R) Management Agent” service exposes a socket and once connected, it is possible to launch commands only for signed executables. This is a security bug that allows a limited user to get escalated admin privileges on their system.
AI-Powered Analysis
Technical Analysis
CVE-2022-30121 is a privilege escalation vulnerability identified in Ivanti Endpoint Manager version 11.0.1.951, specifically affecting the LANDesk Management Agent service. This service exposes a network socket that, when connected to, allows execution of commands restricted to signed executables. However, due to a security flaw, a limited user on the system can exploit this socket to escalate their privileges to administrative level. The vulnerability is categorized under CWE-269, which relates to improper privilege management. The attack vector is local (AV:L), requiring low attack complexity (AC:L) but high privileges (PR:H) to exploit, with no user interaction (UI:N) necessary. The scope remains unchanged (S:U), but the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). Although exploitation requires some level of existing privileges, the vulnerability allows an attacker with limited user rights to gain full administrative control, potentially leading to complete system compromise. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability was published on September 23, 2022, and has a CVSS v3.1 score of 6.7, indicating a medium severity level.
Potential Impact
For European organizations using Ivanti Endpoint Manager 11.0.1.951, this vulnerability poses a significant risk. An attacker with limited user access—such as a compromised internal account or a malicious insider—could leverage this flaw to gain administrative privileges on endpoint systems. This escalation could lead to unauthorized access to sensitive data, installation of persistent malware, disruption of endpoint management functions, and lateral movement within corporate networks. Given the high impact on confidentiality, integrity, and availability, critical business operations could be compromised. The lack of required user interaction facilitates stealthy exploitation once initial access is obtained. This threat is particularly concerning for sectors with stringent regulatory requirements such as finance, healthcare, and government agencies across Europe, where endpoint security is paramount. Additionally, organizations relying heavily on Ivanti Endpoint Manager for centralized endpoint control may face increased risk of widespread compromise if this vulnerability is exploited.
Mitigation Recommendations
European organizations should immediately audit their use of Ivanti Endpoint Manager to identify systems running version 11.0.1.951. Until an official patch is released, mitigation should focus on minimizing the attack surface by restricting local user access rights and monitoring for unusual socket connections to the LANDesk Management Agent service. Implement strict access controls and segment networks to limit lateral movement from compromised endpoints. Employ application whitelisting and endpoint detection and response (EDR) solutions to detect anomalous command executions, especially those involving signed executables launched via the exposed socket. Regularly review and tighten privilege assignments to ensure users have only necessary permissions. Additionally, organizations should engage with Ivanti support for updates or workarounds and prepare to deploy patches promptly once available. Conduct internal awareness training to recognize potential exploitation signs and maintain robust logging and alerting on endpoint management activities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- hackerone
- Date Reserved
- 2022-05-02T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682f99000acd01a24927004a
Added to database: 5/22/2025, 9:37:04 PM
Last enriched: 7/8/2025, 5:11:25 AM
Last updated: 8/18/2025, 3:28:10 AM
Views: 19
Related Threats
CVE-2025-5296: CWE-59 Improper Link Resolution Before File Access ('Link Following') in Schneider Electric SESU
HighCVE-2025-6625: CWE-20 Improper Input Validation in Schneider Electric Modicon M340
HighCVE-2025-57703: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57702: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumCVE-2025-57701: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Delta Electronics DIAEnergie
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.