CVE-2024-13159

CriticalCISA KEVActive ExploitationPublic PoC

Published: 14 January 2025

Published

14 January 2025

Modified

24 October 2025

KEV Added

10 March 2025

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.9417 99.9th percentile

Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2024-13159 is an absolute path traversal vulnerability (CWE-36) in Ivanti Endpoint Manager (EPM) versions before the 2024 January-2025 Security Update and the 2022 SU6 January-2025 Security Update. Published on January 14, 2025, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to its network accessibility, low complexity, and lack of required privileges or user interaction.

A remote unauthenticated attacker can exploit this vulnerability to leak sensitive information from the affected EPM instances.

Ivanti's January 2025 security advisory provides patches via the specified security updates for EPM 2024 and EPM 2022 SU6 to remediate the issue. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog, indicating active exploitation in the wild.

Horizon3.ai has published attack research on multiple credential coercion vulnerabilities in Ivanti Endpoint Manager, with relevance to this CVE.

Details

CWE(s): CWE-36
KEV Date Added: 10 March 2025

Affected Products

ivanti

endpoint manager

2022, 2024 · ≤ 2022

MITRE ATT&CK Enterprise Techniques

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1083 File and Directory Discovery Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

attack.mitre.org →

T1187 Forced Authentication Credential Access

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Absolute path traversal enables remote reading of local files for data collection (T1005) and file/directory discovery (T1083). UNC path coercion facilitates forced authentication (T1187). Unauthenticated remote vulnerability in public-facing application (T1190).

References

https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
Vendor Advisory · 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-13159
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0