Broadcom Altiris IRM Vulnerable to Remote Code Execution – Patch Now!

Published Date: July 15, 2025
Category: ShadowOpsIntel
Share:

A severe remote code execution (RCE) vulnerability was discovered in the Broadcom Symantec Endpoint Management Suite (Altiris), specifically in the Inventory Rule Management (IRM) component. The flaw stems from an exposed legacy .NET Remoting service that allows unauthenticated attackers to execute arbitrary code by sending crafted objects for unsafe deserialization.

Severity Level: Critical

Vulnerability Details

  • CVE ID: CVE-2025-5333
  • CVSS Score: 9.5
  • Description:
    • The vulnerability exists due to an exposed and insecure .NET Remoting service hosted at ”tcp://:4011/IRM/HostedService”
    • This service allows unauthenticated access and insecure deserialization of user-supplied .NET objects. The use of RemotingConfiguration.RegisterWellKnownServiceType, combined with BinaryServerFormatterSinkProvider (TypeFilterLevel.Full), creates an unsafe condition where any arbitrary .NET object can be deserialized and executed by the remote service.
  • Affects: Broadcom Symantec Endpoint Management Suite (Altiris) versions 8.6.x, 8.7.x, 8.8

Root Cause

  • Insecure Deserialization: The root issue is the use of .NET BinaryFormatter with TypeFilterLevel.Full, which enables full type deserialization, known to be dangerous since it allows invoking arbitrary methods.
  • Legacy .NET Remoting: The system relies on outdated .NET Remoting mechanisms which are inherently unsafe for exposure over a network.
  • Global Port Exposure: Port 4011 was bound to 0.0.0.0, allowing access from any network interface.

Exploitation Of The Vulnerability

  1. The vulnerability can be exploited using Forshaw’s ExploitRemotingService tool by sending a crafted serialized object to the TCP port:
  2. ExploitRemotingService.exe –uselease tcp://:4011/IRM/HostedService ls C:\
  3. This returns a directory listing of C:\ from the target system, confirming successful remote code execution.
  4. No authentication is required to exploit the flaw, and it operates without user interaction or elevated privileges.

Mitigation

NOTE: It is confirmed that if the firewall is enabled on the ITMS Notification Server and port 4011 is not opened, this vulnerability is not exploitable.

  1. Ensure that TCP port 4011 is not open on the ITMS Notification Server. This can be enforced via firewall rules.
  2. Optional IRM Configuration (if the previous step is implemented):
    • Open Notification Server (Altiris) Console
    • Navigate: Settings → Notification Server → Core Settings
    • Add new setting:
      • Name: IRM_HostedServiceUrl
      • Value: (leave empty)
    • Restart: Altiris Inventory Rule Management Service

This disables the exposed service without breaking IRM functionality until a patch is available.

Recommendations

  1. Ensure Broadcom Symantec Endpoint Management Suite (Altiris) is updated with the latest security patches.
  2. Consider removing unnecessary Altiris components if not actively used.

Source:

  • https://gbhackers.com/critical-rce-vulnerability/
  • https://www.lrqa.com/en/cyber-labs/remote-code-execution-in-broadcom-altiris-irm/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.