Cyber Resilience

CVE-2024-13159

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 14 January 2025

Published
14 January 2025
Modified
24 October 2025
KEV Added
10 March 2025
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9405 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13159 is a critical-severity Absolute Path Traversal (CWE-36) vulnerability in Ivanti Endpoint Manager. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13159 is an absolute path traversal vulnerability, tracked under CWE-36, that affects Ivanti Endpoint Manager (EPM) prior to the January 2025 Security Update for both the 2024 release and the 2022 SU6 release. The flaw permits remote, unauthenticated access to arbitrary files on the affected system, resulting in disclosure of sensitive information. It carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.

A remote attacker with no authentication can send crafted requests that traverse the filesystem and retrieve protected files. Successful exploitation yields sensitive data that may include credentials or configuration details, enabling further compromise of the EPM deployment and potentially broader network access.

Ivanti’s January 2025 Security Advisory directs customers to apply the corresponding updates for EPM 2024 and EPM 2022 SU6. The vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, confirming in-the-wild exploitation, while its EPSS score remains elevated near 0.94.

EU & UK References

Vulnerability details

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

CWE(s)
KEV Date Added
10 March 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
T1187 Forced Authentication Credential Access
Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Absolute path traversal enables remote reading of local files for data collection (T1005) and file/directory discovery (T1083). UNC path coercion facilitates forced authentication (T1187). Unauthenticated remote vulnerability in public-facing application (T1190).

CVEs Like This One

CVE-2024-13161Same product: Ivanti Endpoint Managerboth on KEV
CVE-2024-13160Same product: Ivanti Endpoint Managerboth on KEV
CVE-2026-1603Same product: Ivanti Endpoint Managerboth on KEV
CVE-2024-10811Same product: Ivanti Endpoint Manager
CVE-2025-13659Same product: Ivanti Endpoint Manager
CVE-2024-13162Same product: Ivanti Endpoint Manager
CVE-2025-9713Same product: Ivanti Endpoint Manager
CVE-2026-8111Same product: Ivanti Endpoint Manager
CVE-2025-9872Same product: Ivanti Endpoint Manager
CVE-2024-13163Same product: Ivanti Endpoint Manager

Affected Assets

ivanti
endpoint manager
2022, 2024 · ≤ 2022

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of the path traversal flaw in Ivanti EPM via vendor-provided patches in the January 2025 security updates.

prevent

Directly prevents absolute path traversal exploits by enforcing validation of externally provided file path inputs to restrict access to intended directories.

preventdetect

Boundary protection with web application firewalls or inspection proxies blocks remote unauthenticated path traversal payloads targeting vulnerable Ivanti EPM endpoints.

References