Shodan Says 1,479 Ivanti EPM Boxes Are Exposed. Three-Quarters Are Cloud-VPS Noise. The Number That Matters Is 6,637 — and It's Wearing a Different Name. Count Blast Radius, Not Boxes.

Just after midnight our exploit harvester logged a fresh proof-of-concept reference for CVE-2024-29824, an unauthenticated SQL injection in Ivanti Endpoint Manager that gives an attacker remote code execution on the EPM core server. It is a 2024 bug, it is in CISA's Known Exploited Vulnerabilities catalog, and it is actively exploited. The reasonable next question — the one a defender should always ask before spending a single hour on a vulnerability — is how exposed the thing actually is. So we went to Shodan. The answer is a small lesson in why raw exposure counts lie, and why the number that scares you is usually not the number that should.

The First Number Is A Trap

Search Shodan for the obvious string and you get ninety-two hosts titled "Endpoint Manager." Search for LANDesk — the legacy brand Ivanti EPM was built from, and the name its agents and consoles still emit in headers and certificates — and you get fourteen hundred and seventy-nine. That second number feels more honest, and it is closer, but it is still a trap, and the trap is visible the moment you stop counting and start asking who is hosting these boxes.

Facet that LANDesk result by organization and the picture falls apart. Four hundred seventy-two of the hosts are on Linode. Another six hundred or so are on Alibaba and Aliyun cloud. That is roughly three-quarters of the entire result sitting on commodity cloud VPS providers — and enterprise endpoint-management servers do not live on Linode droplets. Real Ivanti EPM runs inside corporate networks, on corporate ASNs, on its known ports. Facet by port and the same story repeats: only thirteen of the fourteen hundred are on 9595, the actual LANDesk agent port; the rest are scattered across whatever port a random web service happened to answer on. A string match for "LANDesk" on a Linode VPS on a random port is not a production endpoint manager. It is a scanner, a honeypot, a researcher's reconstruction, or a coincidence. Strip the cloud-VPS noise and the real enterprise EPM-core exposure is a fraction of fourteen hundred — which fits the architecture, because the EPM core is an internal management server that is not supposed to face the internet at all.

This is the first half of the method, and it is dead simple: when you measure an attack surface with a search engine, facet the result by organization and ASN before you believe the total. If three-quarters of your "exposed" population is on two cloud VPS providers, you are not looking at the enterprise footprint. You are looking at the internet's background radiation.

The Number That Matters Wears A Different Name

Here is the part that should change where you spend. The EPM core is internal by design, but it does not sit alone — it sits behind a component built specifically to face the internet: the Ivanti Cloud Services Appliance, the CSA. Search Shodan for the CSA and you get six thousand six hundred and thirty-seven hosts, spread across France, Singapore, the United Kingdom, Hungary, and Hong Kong. That is four to five times the inflated LANDesk number and an order of magnitude more than the real EPM-core exposure, and unlike the core, every one of these is genuinely reachable from the open internet, because that is the CSA's job.

And the CSA is not a hypothetical risk. It has its own history of being actively exploited, and worse, of being exploited in chains. Through late 2024 it took a run of zero-days: an OS command injection, a path-traversal flaw rated 9.4 that an unauthenticated attacker could use to reach restricted functionality, and a SQL injection in its admin console. CISA's advisory on the campaign documents threat actors chaining these together — a path traversal to reach the console, a command injection or SQL injection to execute code, then credentials and webshells planted on the network behind it. The CSA is not just the most-exposed piece of the Ivanti EPM ecosystem. It is the documented, proven path into the internal core where CVE-2024-29824 lives. The gateway is how you reach the SQL injection on the server that is supposedly safe because it is internal.

Count Blast Radius, Not Boxes

Put the two halves together and the triage inverts. If you ranked this by raw exposure you would chase the fourteen hundred LANDesk hits, most of which are cloud-VPS ghosts, and you would underweight the EPM core because "only" a handful are exposed. Both readings are wrong, because exposure count is the wrong axis. The right axis is blast radius — what is behind the door, not how many doors there are. The EPM core has almost no internet exposure and an enormous blast radius, because that one server is the deployment plane that pushes software to every managed endpoint in the organization; a single compromise is a built-in ransomware distribution channel to the entire fleet. The CSA has large exposure and a proven role as the chained entry point to that core. The thing with ninety-two or fourteen hundred hits is noise. The thing with six thousand hits is the front door, and the thing with almost no hits is the crown jewel behind it.

This is the same lesson we wrote earlier this week about the convergence of unrelated threat actors on the pre-authentication enterprise edge: the high-value target is never the most-exposed thing, it is the management plane behind the exposed gateway. Cisco SD-WAN Manager, Oracle PeopleSoft, Ivanti EPM — none of them are mass-exposure surfaces, and all of them are total-estate compromises per hit. Attackers are not scanning for the biggest count. They are scanning for the highest leverage, and they reach it through whatever internet-facing appliance fronts it.

So if you run Ivanti EPM, the action is not "patch because everyone is exposed," because the Shodan numbers will tell you most people are not. The action is: get the CSA gateway patched and locked down because it is the proven chained entry point, get the EPM core off any internet path entirely because one hit on it is your whole fleet, and stop letting raw exposure counts set your priorities. Count what is behind the door. The crews already do.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register