CVE-2024-13159 Overview
CVE-2024-13159 is an absolute path traversal vulnerability affecting Ivanti Endpoint Manager (EPM) that allows remote unauthenticated attackers to leak sensitive information from vulnerable systems. This vulnerability exists in Ivanti EPM versions prior to the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update.
The vulnerability is classified under CWE-36 (Absolute Path Traversal), which occurs when user-controllable input is used to construct a pathname that should be within a restricted directory, but the input is not properly neutralized, allowing attackers to access files outside the intended directory.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Remote unauthenticated attackers can leverage this flaw to access sensitive information from affected Ivanti EPM servers without any authentication requirements.
Affected Products
- Ivanti Endpoint Manager 2024 (prior to January-2025 Security Update)
- Ivanti Endpoint Manager 2022 SU1 through SU6 (prior to January-2025 Security Update)
- Ivanti Endpoint Manager 2022 base version
Discovery Timeline
- 2025-01-14 - CVE-2024-13159 published to NVD
- 2025-10-24 - Last updated in NVD database
Technical Details for CVE-2024-13159
Vulnerability Analysis
This absolute path traversal vulnerability allows remote unauthenticated attackers to access files outside the intended directory structure on Ivanti EPM servers. The flaw stems from improper validation of user-supplied input that is used to construct file paths, enabling attackers to traverse the file system and read sensitive files.
The network-accessible nature of this vulnerability combined with the lack of authentication requirements makes it particularly dangerous for organizations running unpatched Ivanti EPM deployments. Attackers can exploit this vulnerability remotely without any user interaction, potentially gaining access to configuration files, credentials, and other sensitive data stored on the EPM server.
Research from Horizon3.ai has documented this vulnerability as part of multiple credential coercion vulnerabilities affecting Ivanti Endpoint Manager, indicating that attackers may chain this information disclosure with other techniques to achieve further compromise.
Root Cause
The root cause of CVE-2024-13159 is improper neutralization of special elements used in file path construction. When processing certain requests, Ivanti EPM fails to adequately validate and sanitize user-supplied input before using it to access files on the server. This allows attackers to include path traversal sequences such as ../ or absolute paths to escape the intended directory and access arbitrary files on the system.
Attack Vector
The attack vector for CVE-2024-13159 is network-based, requiring no authentication or user interaction. An attacker can craft malicious requests containing path traversal sequences to the Ivanti EPM server, exploiting the insufficient input validation to read files outside the application's intended scope.
The exploitation flow typically involves:
- Identifying a vulnerable Ivanti EPM server accessible over the network
- Crafting a request with manipulated path parameters containing traversal sequences
- Submitting the request to access sensitive files such as configuration data or credentials
- Using the leaked information for further attacks or lateral movement
Due to the sensitivity of this vulnerability and its active exploitation status, specific exploitation details are not provided here. Technical analysis is available in the Horizon3.ai Attack Research Blog.
Detection Methods for CVE-2024-13159
Indicators of Compromise
- Unusual HTTP requests to Ivanti EPM web interfaces containing path traversal sequences such as ../, ..\\, or absolute paths
- Access log entries showing requests attempting to access files outside normal application directories
- Unexpected file access events on the EPM server filesystem, particularly targeting configuration or credential files
- Network traffic patterns indicating reconnaissance or data exfiltration from EPM servers
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal patterns in requests to Ivanti EPM endpoints
- Monitor Ivanti EPM server access logs for suspicious request patterns, particularly those containing encoded traversal sequences
- Deploy network-based intrusion detection signatures to identify exploitation attempts targeting this vulnerability
- Enable detailed file access auditing on EPM servers to detect unauthorized file reads
Monitoring Recommendations
- Configure SIEM alerts for path traversal indicators in HTTP request logs from Ivanti EPM servers
- Establish baseline network behavior for EPM servers and alert on anomalous outbound data transfers
- Monitor authentication logs for any attempts to use credentials that may have been exposed through this vulnerability
- Review CISA KEV catalog alerts and threat intelligence feeds for updated exploitation activity related to CVE-2024-13159
How to Mitigate CVE-2024-13159
Immediate Actions Required
- Apply the Ivanti EPM January-2025 Security Update immediately for both EPM 2024 and EPM 2022 SU6 deployments
- Restrict network access to Ivanti EPM management interfaces to trusted administrative networks only
- Review server logs for evidence of prior exploitation attempts
- Rotate any credentials that may have been stored on or accessible through the EPM server
Patch Information
Ivanti has released security updates to address this vulnerability. Organizations should apply the appropriate update based on their deployment:
- Ivanti EPM 2024: Apply the January-2025 Security Update
- Ivanti EPM 2022: Apply SU6 with the January-2025 Security Update
Detailed patch information and download links are available in the Ivanti Security Advisory.
Given this vulnerability's inclusion in the CISA Known Exploited Vulnerabilities Catalog, federal agencies are required to remediate within mandated timeframes, and all organizations should prioritize patching immediately.
Workarounds
- Implement network segmentation to isolate Ivanti EPM servers from untrusted networks and limit exposure
- Deploy a reverse proxy or web application firewall in front of EPM servers to filter malicious path traversal requests
- Enable strict firewall rules to allow only necessary traffic to EPM server ports
- Monitor and restrict access to sensitive directories on the EPM server filesystem pending patch deployment
# Example firewall rule to restrict EPM server access (adjust ports and IPs as needed)
# Only allow access from trusted management network
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
