CVE-2021-44529

CVE-2021-44529 is a critical-severity vulnerability in Ivanti Endpoint Manager Cloud Services Appliance with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2024-03-25). The underlying weakness is classified as CWE-94.

Key facts

Description

A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).

CVE-2021-44529: Ivanti EPM Cloud Services Appliance Code Injection

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE ID CVE-2021-44529
CWE CWE-94 (Code Injection)
CVSS v3.1 9.8 (Critical)
CVSS v2 7.5 (High)
EPSS 0.99105 (99.1%)
KEV Listed Yes (since 2024-03-25)
Published 2021-12-08
Last Modified 2026-06-17

Summary

CVE-2021-44529 is a code injection vulnerability affecting the Ivanti Endpoint Manager (EPM) Cloud Services Appliance (CSA). An unauthenticated attacker can exploit this flaw to execute arbitrary code on the appliance with limited privileges (as the nobody user).

Background

The Ivanti EPM Cloud Services Appliance is a gateway component designed to bridge on-premises Endpoint Manager instances with cloud-managed endpoints. It handles external requests and proxies management traffic. Because it sits at the perimeter and processes untrusted input, flaws in its input validation can have immediate network-exploitable consequences.

Root Cause

The vulnerability is classified under CWE-94: Improper Control of Generation of Code ('Code Injection'). The CSA fails to adequately sanitize user-supplied input before incorporating it into code or command execution paths. This allows an external, unauthenticated attacker to inject and execute arbitrary instructions on the host appliance.

Impact

The NVD assigns this vulnerability a CVSS 3.1 score of 9.8 (Critical). The vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H reflects:

  • Network attack vector — exploitable remotely without local access.
  • Low attack complexity — no special conditions or advanced techniques needed.
  • No privileges required — fully unauthenticated.
  • No user interaction — can be exploited without tricking a legitimate user.
  • High impact across confidentiality, integrity, and availability.

While the executed code runs under the nobody account, the appliance typically hosts sensitive management traffic and credential material, making privilege escalation a realistic secondary concern.

Exploitation Walkthrough

From a defensive perspective, exploitation is understood to proceed as follows:

  1. The attacker sends a crafted HTTP request to the CSA containing malicious input within a parameter or header field processed by the appliance.
  2. The unsanitized input reaches a backend function that evaluates or executes the data as code.
  3. The attacker gains remote execution as the nobody user.

Ethics caveat: This description is based on public vulnerability metadata and advisory summaries. No step-by-step exploit code is provided here. Defenders should prioritize patching and detection over reproducing the attack.

Affected and Patched Versions

  • Affected product: Ivanti Endpoint Manager Cloud Services Appliance (CSA)
  • Affected version: 4.6 and prior versions (based on CPE data)
  • Patched version: See Ivanti security advisory SA-2021-12-02

Remediation

  1. Upgrade immediately: Apply the patch referenced in Ivanti Security Advisory SA-2021-12-02. Because this CVE is on the CISA Known Exploited Vulnerabilities (KEV) catalog, patching should be treated as an emergency change.
  2. Compensating controls: If immediate patching is not feasible, restrict inbound access to the CSA to trusted administrative IP ranges via firewall rules or VPN gating. Disable or decommission unused CSA instances.
  3. Network segmentation: Place the CSA in a tightly controlled DMZ with strict egress filtering to limit lateral movement in the event of compromise.

Detection

  • Monitor appliance logs for anomalous HTTP requests containing unexpected characters, encoded payloads, or oversized fields in parameters processed by the CSA.
  • Alert on process execution from the CSA web service context (e.g., nobody spawning unexpected shells or interpreters).
  • Correlate CSA access logs with threat intelligence feeds referencing known exploitation patterns for this CVE.
  • Given the EPSS of 0.99105 (99.1% probability of exploitation), prioritize scanning for this vulnerability in external attack-surface assessments.

Assessment

This vulnerability is actively exploited in the wild, as confirmed by its inclusion in the CISA KEV catalog (added 2024-03-25) and its exceptionally high EPSS score of 0.99105 (99.28th percentile). The combination of unauthenticated remote access, low attack complexity, and critical impact makes it a textbook high-priority remediation target.

Key lessons:

  • Perimeter appliances that bridge internal management infrastructure to the internet must be subject to rigorous input validation and secure coding practices.
  • The lag between original disclosure (December 2021) and KEV listing (March 2024) illustrates that even older vulnerabilities can become actively exploited over time; continuous vulnerability scanning and patch hygiene are essential.

References

Frequently asked questions

What is CVE-2021-44529?
A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).
How severe is CVE-2021-44529?
CVE-2021-44529 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-44529 being actively exploited?
Yes. CVE-2021-44529 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2024-03-25, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-44529?
CVE-2021-44529 primarily affects Ivanti Endpoint Manager Cloud Services Appliance. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-44529?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-44529 have an EU (EUVD) identifier?
Yes. CVE-2021-44529 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-31360. It is also flagged as exploited in the EUVD (since 2024-03-25).
When was CVE-2021-44529 published?
CVE-2021-44529 was published on 2021-12-08 and last updated on 2026-06-17.

References

Affected products (2)

More vulnerabilities in Ivanti Endpoint Manager Cloud Services Appliance

All CVEs affecting Ivanti Endpoint Manager Cloud Services Appliance →

Other CWE-94 (Code Injection) vulnerabilities

Browse all CWE-94 (Code Injection) vulnerabilities →