CVE-2024-13168

High

Published: 14 January 2025

Published

14 January 2025

Modified

11 July 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0153 81.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.

Security Summary

CVE-2024-13168 is an out-of-bounds write vulnerability (CWE-787) in Ivanti Endpoint Manager (EPM). It affects Ivanti EPM versions prior to the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update. The flaw has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its potential for significant availability impact.

A remote unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to trigger a denial-of-service condition by causing an out-of-bounds write, potentially crashing the affected EPM instance and disrupting endpoint management services.

Ivanti's security advisory recommends applying the January-2025 Security Updates for EPM 2024 and EPM 2022 SU6 to mitigate the vulnerability. Administrators should review the advisory at https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6 for patch deployment details and verification steps.

Details

CWE(s): CWE-787

Affected Products

ivanti

endpoint manager

2022, 2024 · ≤ 2022

References

https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
Vendor Advisory · 3c1d8aa1-5a33-4ea4-8992-aadd6440af75