CVE-2024-10811

CriticalPublic PoC

Published: 14 January 2025

Published

14 January 2025

Modified

17 June 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0465 89.4th percentile

Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-10811 is a critical-severity Absolute Path Traversal (CWE-36) vulnerability in Ivanti Endpoint Manager. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Forced Authentication (T1187); ranked in the top 10.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Forced Authentication (T1187) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely application of Ivanti's January-2025 security updates to remediate the path traversal flaw.

SI-10 Information Input Validation good match

prevent

Prevents absolute path traversal exploitation by validating and sanitizing user-supplied path inputs to restrict access to authorized directories.

AC-3 Access Enforcement partial match

prevent

Enforces logical access restrictions on sensitive files and resources, limiting the impact of any successful path traversal attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1187 Forced Authentication Credential Access

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.

attack.mitre.org →

T1557.001 Name Resolution Poisoning and SMB Relay Credential Access

By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system.

attack.mitre.org →

Why these techniques?

Absolute path traversal vulnerability allows unauthenticated remote attackers to supply UNC paths, coercing the Ivanti EPM server machine account to authenticate via SMB to attacker-controlled shares, enabling NTLM credential capture and relay attacks.

NVD Description

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

Deeper analysisAI

CVE-2024-10811 is an absolute path traversal vulnerability (CWE-22, CWE-36) affecting Ivanti Endpoint Manager (EPM) versions prior to the 2024 January-2025 Security Update and the 2022 SU6 January-2025 Security Update. Published on January 14, 2025, the flaw carries a CVSS v3.1 base score of 9.8 (Critical), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network-accessible exploitation with low complexity, no privileges or user interaction required.

A remote unauthenticated attacker can exploit this vulnerability to leak sensitive information from affected Ivanti EPM instances. The high confidentiality impact aligns with the path traversal nature, while the elevated integrity and availability scores reflect potential broader disruption.

Ivanti's security advisory recommends applying the January-2025 Security Updates for EPM 2024 and EPM 2022 SU6 to mitigate the issue. Further technical details on related vulnerabilities, including credential coercion, are documented in Horizon3.ai's attack research blog.

Details

CWE(s): CWE-36 CWE-22

Affected Products

ivanti

endpoint manager

2022, 2024 · ≤ 2022

CVEs Like This One

CVE-2024-13161Same product: Ivanti Endpoint Manager

CVE-2024-13160Same product: Ivanti Endpoint Manager

CVE-2024-13159Same product: Ivanti Endpoint Manager

CVE-2025-9713Same product: Ivanti Endpoint Manager

CVE-2024-13158Same product: Ivanti Endpoint Manager

CVE-2025-13659Same product: Ivanti Endpoint Manager

CVE-2024-13171Same product: Ivanti Endpoint Manager

CVE-2025-9712Same product: Ivanti Endpoint Manager

CVE-2024-13167Same product: Ivanti Endpoint Manager

CVE-2024-13166Same product: Ivanti Endpoint Manager

References

https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
Vendor Advisory · 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0