// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of September 9, 2024
Signal Brief · Archived

Week of September 9, 2024

2024-09-09 — 2024-09-15 · 6 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of September 9, 2024, ColdRecon logged 6 public endpoint-security events from open-source reporting — 4 vuln disclosures, 1 research poc, 1 incident. Vendors in the record this week: Ivanti, targeted EDR vendor (unnamed), Fortinet.

The Week's Public Record

Events

2024-09-13
vuln disclosure
Ivanti Endpoint Manager AgentPortal Deserialization RCE VulnerabilityCVE-2024-29847
A deserialization vulnerability in Ivanti Endpoint Manager's AgentPortal service allows unauthenticated remote code execution. The flaw resides in the .NET remoting service handling the IAgentPortal interface, specifically the RunProgram action. Ivanti patched the issue by restricting executable paths and enforcing firewall checks.
2024-09-13
research poc
Retrosigned Driver Technique Bypasses EDR via System Time ManipulationRetrosigned Driver EDR Bypass
Stroz Friedberg observed ransomware actors using a technique called 'Retrosigned Driver EDR Bypass' to load malicious kernel drivers signed with expired certificates by manipulating system time. This allows attackers to terminate EDR processes and limit telemetry visibility. The technique was seen in Medusa and Abysslocker ransomware incidents.
targeted EDR vendor (unnamed) ↗ www.levelblue.com (2024-09-13)
2024-09-12
incident
Fortinet Confirms Data Breach Affecting Customer InformationFortinet Azure SharePoint Data Breach 2025
Fortinet disclosed a data breach where an attacker accessed a limited number of files on a third-party cloud-based shared file drive, impacting less than 0.3% of customers. The hacker, 'Fortibitch', leaked 440 GB of data after a ransom demand was refused. Fortinet states operations, products, and services were unaffected, and no malicious customer activity has been observed.
2024-09-12
vuln disclosure
CVE-2024-20430: Cisco Meraki Systems Manager Agent for Windows Privilege EscalationCVE-2024-20430
CVE-2024-20430 is a local privilege escalation vulnerability in Cisco Meraki Systems Manager Agent for Windows. It allows a low-privileged authenticated attacker to execute arbitrary code with SYSTEM privileges via DLL hijacking. The vulnerability stems from uncontrolled search path elements during agent startup.
2024-09-11
vuln disclosure
CVE-2024-8690: Cortex XDR Agent on Windows Can Be Disabled by Local AdministratorCVE-2024-8690
A vulnerability in the Palo Alto Networks Cortex XDR agent on Windows allows a user with local administrator privileges to disable the agent. This could enable malware to deactivate the security agent and then perform malicious actions undetected. The issue is fixed in agent version 8.2 and later.
2024-09-10
vuln disclosure
CVE-2024-8441: Ivanti Endpoint Manager Agent Uncontrolled Search Path Privilege EscalationCVE-2024-8441
A vulnerability in the Ivanti Endpoint Manager (EPM) agent allows a local authenticated attacker with administrator privileges to escalate to SYSTEM via an uncontrolled search path. The flaw affects EPM agent versions prior to 2022 SU6 and the 2024 September update. Successful exploitation can lead to full compromise of the endpoint.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →