CISA warned U.S. federal agencies to secure their networks against attacks exploiting three critical vulnerabilities affecting Ivanti Endpoint Manager (EPM) appliances.
The three flaws (CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161) are due to absolute path traversal weaknesses that can let remote unauthenticated attackers fully compromise vulnerable servers.
They were reported in October by Horizon3.ai vulnerability researcher Zach Hanley and patched by Ivanti on January 13. Just over a month later, Horizon3.ai also released proof-of-concept exploits that can be used in relay attacks for unauthenticated coercion of the Ivanti EPM machine credentials.
On Monday, CISA added the three vulnerabilities to its Known Exploited Vulnerabilities catalog, which lists security flaws the cybersecurity agency has marked as exploited in the wild. Federal Civilian Executive Branch (FCEB) agencies now have three weeks, until March 31, to secure their systems against ongoing attacks, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” CISA said. “Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice.”
Ivanti has not yet updated its security advisory after CISA tagged the vulnerabilities as actively exploited in attacks.
In January, CISA and the FBI cautioned that attackers are still exploiting Ivanti Cloud Service Appliances (CSA) security flaws patched since September to breach vulnerable networks.
Multiple other Ivanti vulnerabilities have been exploited as zero-days over the last year in widespread attacks targeting the company’s VPN appliances and ICS, IPS, and ZTA gateways.
Since the start of 2025, a suspected China-nexus espionage actor (tracked as UNC5221) also targeted Ivanti Connect Secure VPN appliances, infecting them with new Dryhook and Phasejam malware following successful remote code execution zero-day attacks.
Ivanti says it partners with over 7,000 organizations worldwide to provide system and IT asset management solutions to over 40,000 companies.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
