ByteOS Network

Vulnerability Details :

CVE-2024-13159

Assigner-ivanti

Assigner Org ID-3c1d8aa1-5a33-4ea4-8992-aadd6440af75

Published At-14 Jan, 2025 | 17:12

Updated At-30 Jul, 2025 | 01:36

Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability

Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

▼Known Exploited Vulnerabilities (KEV)

cisa.gov

Vendor:

Ivanti Software

Product:Endpoint Manager (EPM)

Added At:10 Mar, 2025

Due At:31 Mar, 2025

Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability

Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.

Used in Ransomware

Unknown

CWE

CWE-36

Required Action:

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Additional Notes:

https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US ; https://nvd.nist.gov/vuln/detail/CVE-2024-13159

▼Common Vulnerabilities and Exposures (CVE)

cve.org

Assigner:ivanti

Assigner Org ID:3c1d8aa1-5a33-4ea4-8992-aadd6440af75

Published At:14 Jan, 2025 | 17:12

Updated At:30 Jul, 2025 | 01:36

▼CVE Numbering Authority (CNA)

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

Affected Products

Vendor

Ivanti Software

Product

Endpoint Manager

Default Status

affected

Versions

Unaffected

2024 January-2025 Security Update (custom)
2022 SU6 January-2025 Security Update (custom)

Problem Types

Type	CWE ID	Description
CWE	CWE-36	CWE-36 Absolute Path Traversal

Type: CWE

CWE ID: CWE-36

Description: CWE-36 Absolute Path Traversal

Metrics

Version	Base score	Base severity	Vector
3.1	9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Version: 3.1

Base score: 9.8

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impacts

CAPEC ID	Description
CAPEC-597	CAPEC-597 Absolute Path Traversal

CAPEC ID: CAPEC-597

Description: CAPEC-597 Absolute Path Traversal

References

Hyperlink	Resource
https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6	N/A

Hyperlink: https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6

Resource: N/A

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Metrics Other Info

kev

dateAdded:

2025-03-10

reference:

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-13159

Timeline

Event	Date
CVE-2024-13159 added to CISA KEV	2025-03-10 00:00:00

Event: CVE-2024-13159 added to CISA KEV

Date: 2025-03-10 00:00:00

References

Hyperlink	Resource
https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/	exploit

Hyperlink: https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/

Resource:

exploit

▼National Vulnerability Database (NVD)

nvd.nist.gov

Source:3c1d8aa1-5a33-4ea4-8992-aadd6440af75

Published At:14 Jan, 2025 | 18:15

Updated At:13 Mar, 2025 | 15:28

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

CISA Catalog

Date Added	Due Date	Vulnerability Name	Required Action
2025-03-10	2025-03-31	Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability	Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Date Added: 2025-03-10

Due Date: 2025-03-31

Vulnerability Name: Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary	3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Type: Secondary

Version: 3.1

Base score: 9.8

Base severity: CRITICAL

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Type: Primary

Version: 3.1

Base score: 7.5

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CPE Matches

Ivanti Software

>>endpoint_manager>>Versions before 2022(exclusive)

cpe:2.3:a:ivanti:endpoint_manager:*:-:*:*:*:*:*:*

Ivanti Software

>>endpoint_manager>>2022

cpe:2.3:a:ivanti:endpoint_manager:2022:-:*:*:*:*:*:*

Ivanti Software

>>endpoint_manager>>2022

cpe:2.3:a:ivanti:endpoint_manager:2022:su1:*:*:*:*:*:*

Ivanti Software

>>endpoint_manager>>2022

cpe:2.3:a:ivanti:endpoint_manager:2022:su2:*:*:*:*:*:*

Ivanti Software

>>endpoint_manager>>2022

cpe:2.3:a:ivanti:endpoint_manager:2022:su3:*:*:*:*:*:*

Ivanti Software

>>endpoint_manager>>2022

cpe:2.3:a:ivanti:endpoint_manager:2022:su4:*:*:*:*:*:*

Ivanti Software

>>endpoint_manager>>2022

cpe:2.3:a:ivanti:endpoint_manager:2022:su5:*:*:*:*:*:*

Ivanti Software

>>endpoint_manager>>2022

cpe:2.3:a:ivanti:endpoint_manager:2022:su6:*:*:*:*:*:*

Ivanti Software

>>endpoint_manager>>2024

cpe:2.3:a:ivanti:endpoint_manager:2024:-:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-36	Secondary	3c1d8aa1-5a33-4ea4-8992-aadd6440af75

CWE ID: CWE-36

Type: Secondary

Source: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75

References

Hyperlink	Source	Resource
https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6	3c1d8aa1-5a33-4ea4-8992-aadd6440af75	Vendor Advisory
https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/	134c704f-9b21-4f2e-91b3-4a467353bcc0	Exploit Third Party Advisory

Hyperlink: https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6

Source: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75

Resource:

Vendor Advisory

Hyperlink: https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Resource:

Exploit

Third Party Advisory

CVE-2024-13159

Credits

Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability

Vendors

Products

Metrics (CVSS)

Weaknesses

Attack Patterns

Solution/Workaround

References

EPSS History

Score

Latest Score

N/A

Percentile

Latest Percentile

N/A

Stakeholder-Specific Vulnerability Categorization (SSVC)

Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability

Used in Ransomware

Unknown

CWE

Required Action:

Additional Notes:

Affected Products

Unaffected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History

Similar CVEs