CVE-2024-13160

CriticalCISA KEVActive ExploitationPublic PoC

Published: 14 January 2025

Published

14 January 2025

Modified

24 October 2025

KEV Added

10 March 2025

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.9381 99.9th percentile

Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13160 is a critical-severity Absolute Path Traversal (CWE-36) vulnerability in Ivanti Endpoint Manager. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Forced Authentication (T1187); ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Forced Authentication (T1187) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation requires applying Ivanti's January 2025 security updates to directly fix the absolute path traversal vulnerability.

SI-10 Information Input Validation good match

prevent

Information input validation checks and sanitizes inputs to block absolute path traversal sequences like '../' from accessing unauthorized files.

SI-9 Information Input Restrictions good match

prevent

Information input restrictions reject invalid inputs including '..' sequences and partial URLs exploited in this path traversal attack.

MITRE ATT&CK Enterprise TechniquesAI

T1187 Forced Authentication Credential Access

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

CVE-2024-13160 enables unauthenticated attackers to perform path traversal to remote UNC paths, coercing server machine account authentication for NTLM relay (T1187: Forced Authentication) and exploiting the remote service (T1210: Exploitation of Remote Services).

NVD Description

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

Deeper analysisAI

CVE-2024-13160 is an absolute path traversal vulnerability (CWE-36) in Ivanti Endpoint Manager (EPM) versions prior to the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update. Published on January 14, 2025, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.

A remote unauthenticated attacker can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. Successful exploitation enables the attacker to leak sensitive information from the affected EPM instances.

Ivanti's January 2025 Security Advisory provides patches for EPM 2024 and EPM 2022 SU6 to mitigate this issue, and administrators should apply these updates immediately. The vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog, underscoring the need for urgent remediation.

This CVE has seen real-world exploitation, as evidenced by its CISA KEV inclusion. Additional research from Horizon3.ai discusses related credential coercion vulnerabilities in Ivanti EPM, highlighting broader risks in the product family.

Details

CWE(s): CWE-36
KEV Date Added: 10 March 2025

Affected Products

ivanti

endpoint manager

2022, 2024 · ≤ 2022

CVEs Like This One

CVE-2024-13161Same product: Ivanti Endpoint Managerboth on KEV

CVE-2024-13159Same product: Ivanti Endpoint Managerboth on KEV

CVE-2026-1603Same product: Ivanti Endpoint Managerboth on KEV

CVE-2024-10811Same product: Ivanti Endpoint Manager

CVE-2025-9872Same product: Ivanti Endpoint Manager

CVE-2024-13166Same product: Ivanti Endpoint Manager

CVE-2025-9712Same product: Ivanti Endpoint Manager

CVE-2024-13165Same product: Ivanti Endpoint Manager

CVE-2024-13158Same product: Ivanti Endpoint Manager

CVE-2024-13163Same product: Ivanti Endpoint Manager

References

https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
Vendor Advisory · 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-13160
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0