CVE-2024-13159

CriticalCISA KEVActive ExploitationPublic PoC

Published: 14 January 2025

Published

14 January 2025

Modified

24 October 2025

KEV Added

10 March 2025

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.9396 99.9th percentile

Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13159 is a critical-severity Absolute Path Traversal (CWE-36) vulnerability in Ivanti Endpoint Manager. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of the path traversal flaw in Ivanti EPM via vendor-provided patches in the January 2025 security updates.

SI-10 Information Input Validation good match

prevent

Directly prevents absolute path traversal exploits by enforcing validation of externally provided file path inputs to restrict access to intended directories.

SC-7 Boundary Protection partial match

preventdetect

Boundary protection with web application firewalls or inspection proxies blocks remote unauthenticated path traversal payloads targeting vulnerable Ivanti EPM endpoints.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1083 File and Directory Discovery Discovery

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

attack.mitre.org →

T1187 Forced Authentication Credential Access

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Absolute path traversal enables remote reading of local files for data collection (T1005) and file/directory discovery (T1083). UNC path coercion facilitates forced authentication (T1187). Unauthenticated remote vulnerability in public-facing application (T1190).

NVD Description

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

Deeper analysisAI

CVE-2024-13159 is an absolute path traversal vulnerability (CWE-36) in Ivanti Endpoint Manager (EPM) versions before the 2024 January-2025 Security Update and the 2022 SU6 January-2025 Security Update. Published on January 14, 2025, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity due to its network accessibility, low complexity, and lack of required privileges or user interaction.

A remote unauthenticated attacker can exploit this vulnerability to leak sensitive information from the affected EPM instances.

Ivanti's January 2025 security advisory provides patches via the specified security updates for EPM 2024 and EPM 2022 SU6 to remediate the issue. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities Catalog, indicating active exploitation in the wild.

Horizon3.ai has published attack research on multiple credential coercion vulnerabilities in Ivanti Endpoint Manager, with relevance to this CVE.

Details

CWE(s): CWE-36
KEV Date Added: 10 March 2025

Affected Products

ivanti

endpoint manager

2022, 2024 · ≤ 2022

CVEs Like This One

CVE-2024-13161Same product: Ivanti Endpoint Managerboth on KEV

CVE-2024-13160Same product: Ivanti Endpoint Managerboth on KEV

CVE-2026-1603Same product: Ivanti Endpoint Managerboth on KEV

CVE-2024-10811Same product: Ivanti Endpoint Manager

CVE-2025-9872Same product: Ivanti Endpoint Manager

CVE-2025-9713Same product: Ivanti Endpoint Manager

CVE-2025-13659Same product: Ivanti Endpoint Manager

CVE-2025-9712Same product: Ivanti Endpoint Manager

CVE-2024-13166Same product: Ivanti Endpoint Manager

CVE-2024-13165Same product: Ivanti Endpoint Manager

References

https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
Vendor Advisory · 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-13159
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0