- Today CISA added three Ivanti Endpoint Manager (EPM) vulnerabilities CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161 to its Known Exploited Vulnerabilities (KEV) catalog.
- These absolute path traversal flaws allow remote, unauthenticated attackers to leak sensitive information from affected systems.
- Federal agencies must mitigate these vulnerabilities by March 31, 2025, per CISA’s directive, though no specific ransomware link has been confirmed.
The Cybersecurity and Infrastructure Security Agency (CISA) updated its KEV catalog on March 10, 2025, to include three newly identified vulnerabilities in Ivanti Endpoint Manager (EPM), a widely used enterprise software for managing endpoints.
The KEV catalog tracks vulnerabilities actively exploited in the wild, urging organizations to prioritize remediation to safeguard critical systems.
All three vulnerabilities CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161 are classified as absolute path traversal issues (CWE-36), with identical characteristics:
Each flaw enables a remote, unauthenticated attacker to access sensitive files by manipulating file paths, potentially exposing configuration data, credentials, or other critical information.
Exploitation Mechanism
These vulnerabilities stem from inadequate path validation in Ivanti EPM’s file-handling processes. An attacker can send crafted HTTP requests—such as GET /../../sensitive/file—to traverse the file system beyond intended directories.
If successful, this could reveal files like logs or configuration settings without requiring authentication, providing a foothold for further attacks.
While it’s unknown if these vulnerabilities are tied to ransomware campaigns, their presence in the KEV catalog indicates confirmed exploitation in real-world scenarios. Given Ivanti EPM’s role in managing enterprise endpoints, leaks of sensitive data could lead to broader network compromises, making timely action critical.
- Action Required: Organizations must apply mitigations per Ivanti’s instructions, adhere to Binding Operational Directive (BOD) 22-01 for cloud services, or discontinue use if patches are unavailable.
- Deadline: Federal Civilian Executive Branch (FCEB) agencies have until March 31, 2025, to address these vulnerabilities.
- Date Added: All three were added to the KEV catalog on March 10, 2025, reflecting recent evidence of exploitation.
Recommendations
- Monitor Ivanti’s support portal for updates.
- Restrict unauthenticated access to EPM instances (e.g., via firewalls or VPNs).
- Audit file access logs for signs of path traversal attempts.
The addition of CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161 to CISA’s KEV catalog underscores the growing threat to endpoint management systems.
With a three-week remediation window for federal agencies, enterprises using Ivanti EPM should act swiftly to mitigate risks and prevent potential data leaks from escalating into larger breaches.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
