Cyber Resilience

CVE-2024-13160

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 14 January 2025

Published
14 January 2025
Modified
24 October 2025
KEV Added
10 March 2025
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9381 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13160 is a critical-severity Absolute Path Traversal (CWE-36) vulnerability in Ivanti Endpoint Manager. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Forced Authentication (T1187); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13160 is an absolute path traversal vulnerability, tracked under CWE-36, that affects Ivanti Endpoint Manager (EPM) prior to the 2024 January-2025 Security Update and the 2022 SU6 January-2025 Security Update. The flaw resides in the EPM server component and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible, unauthenticated exploitation with high impact on confidentiality, integrity, and availability.

A remote attacker without credentials can send specially crafted requests to traverse absolute paths on the affected server, enabling the disclosure of sensitive files and configuration data that may contain credentials or other information useful for further attacks.

Ivanti’s security advisory directs customers to install the January 2025 updates for both EPM 2024 and EPM 2022 SU6. The vulnerability has also been added to CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.

The associated EPSS score stands at 0.9381, matching its recorded peak and indicating substantial exploitation interest following disclosure.

EU & UK References

Vulnerability details

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

CWE(s)
KEV Date Added
10 March 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1187 Forced Authentication Credential Access
Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

CVE-2024-13160 enables unauthenticated attackers to perform path traversal to remote UNC paths, coercing server machine account authentication for NTLM relay (T1187: Forced Authentication) and exploiting the remote service (T1210: Exploitation of Remote Services).

CVEs Like This One

CVE-2024-13161Same product: Ivanti Endpoint Managerboth on KEV
CVE-2024-13159Same product: Ivanti Endpoint Managerboth on KEV
CVE-2026-1603Same product: Ivanti Endpoint Managerboth on KEV
CVE-2024-10811Same product: Ivanti Endpoint Manager
CVE-2024-13171Same product: Ivanti Endpoint Manager
CVE-2024-13164Same product: Ivanti Endpoint Manager
CVE-2024-13163Same product: Ivanti Endpoint Manager
CVE-2025-13659Same product: Ivanti Endpoint Manager
CVE-2024-13168Same product: Ivanti Endpoint Manager
CVE-2024-13172Same product: Ivanti Endpoint Manager

Affected Assets

ivanti
endpoint manager
2022, 2024 · ≤ 2022

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation requires applying Ivanti's January 2025 security updates to directly fix the absolute path traversal vulnerability.

prevent

Information input validation checks and sanitizes inputs to block absolute path traversal sequences like '../' from accessing unauthorized files.

prevent

Information input restrictions reject invalid inputs including '..' sequences and partial URLs exploited in this path traversal attack.

References