CVE-2024-13160: Ivanti EPM Path Traversal Vulnerability

CVE-2024-13160 Overview

CVE-2024-13160 is an absolute path traversal vulnerability in Ivanti Endpoint Manager (EPM) that allows a remote unauthenticated attacker to leak sensitive information. This vulnerability affects Ivanti EPM versions prior to the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update.

Critical Impact

This vulnerability is actively exploited in the wild and has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. Remote unauthenticated attackers can leverage this flaw to access sensitive information without any user interaction.

Affected Products

• Ivanti Endpoint Manager 2024 (versions prior to January-2025 Security Update)
• Ivanti Endpoint Manager 2022 (all versions through SU6, prior to January-2025 Security Update)
• Ivanti Endpoint Manager 2022 SU1 through SU6

Discovery Timeline

• 2025-01-14 - CVE CVE-2024-13160 published to NVD
• 2025-10-24 - Last updated in NVD database

Technical Details for CVE-2024-13160

Vulnerability Analysis

This absolute path traversal vulnerability (CWE-36) exists in Ivanti Endpoint Manager's web service components. The flaw allows attackers to bypass intended access restrictions and read arbitrary files from the system by manipulating file path parameters. When exploited, an unauthenticated remote attacker can access sensitive configuration files, credentials, or other confidential data stored on the EPM server.

The vulnerability is particularly dangerous because it requires no authentication and can be exploited remotely over the network. Attackers can leverage this flaw as part of a credential coercion attack chain, potentially enabling further compromise of the endpoint management infrastructure.

Root Cause

The root cause of this vulnerability is insufficient validation of user-supplied file path input within the Ivanti EPM application. The application fails to properly sanitize absolute path references, allowing attackers to specify arbitrary file system paths instead of restricting access to intended directories. This lack of input validation enables directory traversal sequences or absolute paths to be processed, granting unauthorized file system access.

Attack Vector

The attack vector is network-based, requiring no authentication or user interaction. An attacker can send specially crafted HTTP requests to the vulnerable EPM server, manipulating file path parameters to traverse outside the intended directory structure. The vulnerability exploits improper handling of file path inputs, allowing the attacker to specify absolute paths that point to sensitive files on the server's file system.

According to Horizon3's attack research, this vulnerability can be chained with other credential coercion vulnerabilities to achieve more significant compromise of affected systems.

Detection Methods for CVE-2024-13160

Indicators of Compromise

• Unusual HTTP requests to Ivanti EPM web services containing absolute file paths or directory traversal sequences
• Access logs showing requests for sensitive system files such as configuration files, credential stores, or Windows system files
• Unexpected file read operations from the EPM service account targeting files outside the application directory
• Network traffic patterns indicating data exfiltration following successful exploitation

Detection Strategies

• Monitor Ivanti EPM web server access logs for requests containing absolute path references (e.g., C:\, /etc/) or encoded path traversal sequences
• Implement file integrity monitoring on the EPM server to detect unauthorized access to sensitive configuration and system files
• Deploy network intrusion detection rules to identify exploitation attempts targeting this vulnerability
• Review Windows Security Event logs for anomalous file access by the EPM service account

Monitoring Recommendations

• Enable detailed logging on Ivanti EPM servers and forward logs to a SIEM for centralized analysis
• Configure alerts for any access attempts to known sensitive file paths from web service processes
• Monitor for credential coercion attempts and NTLM relay attacks that may follow successful information disclosure
• Establish baseline behavior for EPM file access patterns to identify anomalous activity

How to Mitigate CVE-2024-13160

Immediate Actions Required

• Apply the January-2025 Security Update for Ivanti EPM 2024 or EPM 2022 SU6 immediately
• If patching is not immediately possible, restrict network access to the EPM server to trusted management networks only
• Review access logs for signs of exploitation and investigate any suspicious activity
• Implement network segmentation to limit exposure of the EPM management interface

Patch Information

Ivanti has released the January-2025 Security Update to address this vulnerability. Organizations running Ivanti EPM 2024 should apply the 2024 January-2025 Security Update, while those running EPM 2022 should apply the 2022 SU6 January-2025 Security Update. The official security advisory is available at the Ivanti Security Advisory page.

Given that this vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog, federal agencies and critical infrastructure organizations should prioritize patching according to CISA's remediation timelines.

Workarounds

• Implement strict network access controls to limit who can reach the EPM management interface
• Deploy a web application firewall (WAF) configured to block path traversal attack patterns
• Consider temporarily disabling internet-facing access to the EPM server until patches can be applied
• Implement additional network monitoring to detect and alert on exploitation attempts

# Example: Restrict access to EPM server using Windows Firewall
netsh advfirewall firewall add rule name="Restrict EPM Access" dir=in action=allow remoteip=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 protocol=tcp localport=443
netsh advfirewall firewall add rule name="Block External EPM Access" dir=in action=block protocol=tcp localport=443