CVE-2024-13161
Published: 14 January 2025
Summary
CVE-2024-13161 is a critical-severity Absolute Path Traversal (CWE-36) vulnerability in Ivanti Endpoint Manager. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Forced Authentication (T1187); ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2024-13161 by requiring timely application of Ivanti's January-2025 security updates to remediate the path traversal flaw.
Prevents absolute path traversal exploitation in Ivanti EPM by enforcing input validation mechanisms at entry points to block unauthorized directory access.
Mitigates sensitive information leakage from path traversal by filtering outputs prior to transmission, reducing the impact of successful exploits.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Absolute path traversal vulnerability in Ivanti EPM allows unauthenticated remote attackers to coerce machine account NTLM authentication to attacker-controlled UNC/SMB shares, enabling Forced Authentication (T1187) for potential relay attacks.
NVD Description
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
Deeper analysisAI
CVE-2024-13161 is an absolute path traversal vulnerability (CWE-36) affecting Ivanti Endpoint Manager (EPM) versions prior to the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update. It enables a remote unauthenticated attacker to leak sensitive information from the affected system. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low complexity, no privileges or user interaction required, and high impacts on confidentiality, integrity, and availability.
A remote unauthenticated attacker can exploit this vulnerability over the network without privileges to traverse directories and access sensitive files, resulting in information disclosure. The high integrity and availability impact scores suggest potential for broader disruption beyond leakage, though the primary effect is unauthorized access to sensitive data.
Ivanti's security advisory recommends applying the January-2025 Security Updates for EPM 2024 and EPM 2022 SU6 to mitigate the issue. The vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog, indicating active exploitation in the wild.
Additional research from Horizon3.ai highlights related credential coercion vulnerabilities in Ivanti Endpoint Manager, underscoring the need for comprehensive patching in this product line.
Details
- CWE(s)
- KEV Date Added
- 10 March 2025