Introduction

This document addresses three critical vulnerabilities in Ivanti’s Endpoint Manager (EPM) [4], identified as CVE-2024-13159 [2] [3] [6] [8] [10], CVE-2024-13160 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], and CVE-2024-13161 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11]. These vulnerabilities pose significant security risks, allowing unauthorized access and potential system compromise. The following sections provide a detailed description of these vulnerabilities and their implications, as well as recommended mitigation strategies.

Description

Three critical vulnerabilities in Ivanti’s Endpoint Manager (EPM) [1] [2] [3] [4] [7] [8] [10], tracked as CVE-2024-13159 [2] [3] [6] [10], CVE-2024-13160 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], and CVE-2024-13161 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], are classified as Absolute Path Traversal Vulnerabilities and identified as credential coercion issues (CWE-36). These vulnerabilities allow remote unauthenticated attackers to manipulate file paths [6], leading to full server compromise and unauthorized access to sensitive information, including critical system credentials and configuration data. Such exploitation poses significant security risks, potentially resulting in data loss and further attacks, such as NTLM relay attacks, which could compromise the server and all associated EPM clients.

Each vulnerability has a CVSS base score of 9.8 [8], underscoring their critical nature [8]. Ivanti disclosed and patched these vulnerabilities on January 13, 2025, alongside another flaw [2], CVE-2024-10811 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], initially stating that it was unaware of any exploitation prior to public disclosure [2]. However, the US Cybersecurity and Infrastructure Security Agency (CISA) has since included these vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog [3] [4] [10], confirming their active exploitation in real-world scenarios. This concern is heightened by the release of proof-of-concept exploit code by Horizon3.ai in January 2025, which demonstrated how these vulnerabilities could be exploited for unauthorized access [6], following a 30-day waiting period intended to allow customers time to apply the necessary patches.

The risks posed by these vulnerabilities are particularly significant for federal enterprises, as compromising the Endpoint Manager server could enable attackers to breach all associated EPM clients and potentially gain control over the entire enterprise network. In accordance with Binding Operational Directive (BOD) 22-01 [1] [9], federal civilian executive branch agencies are mandated to remediate identified vulnerabilities by March 31, 2025, to safeguard their networks against active threats [11]. CISA advises all organizations to prioritize timely remediation to mitigate exposure to potential cyberattacks [8] [11]. Organizations are also urged to monitor Ivanti’s support portal for updates, restrict unauthenticated access to EPM instances [1], and audit file access logs for signs of path traversal attempts [1], given the increasing targeting of Ivanti products, particularly network edge devices and remote IT management tools [2]. For organizations unable to patch immediately [10], temporary isolation of affected systems may be necessary [10], and monitoring for indicators of compromise related to these vulnerabilities is recommended [10]. Immediate application of critical updates is essential for effectively mitigating these vulnerabilities and preventing potential system downtime, disruption of critical operations [4], and reputational damage due to data breaches [4].

Conclusion

The vulnerabilities in Ivanti’s Endpoint Manager present a critical threat to organizational security, particularly for federal enterprises. Immediate action is required to mitigate these risks, including applying patches, monitoring for signs of exploitation, and implementing temporary protective measures if necessary. Organizations must remain vigilant and proactive in addressing these vulnerabilities to prevent potential data breaches and ensure the integrity of their networks.

References

[1] https://cybersecuritynews.com/cisa-adds-3-ivanti-endpoint-manager-vulnerabilities/
[2] https://www.cybersecuritydive.com/news/cisa-3-ivanti-endpoint-vulnerabilities-exploited-in-the-wild/742168/
[3] https://www.csoonline.com/article/3843301/ivanti-epm-vulnerabilities-actively-exploited-in-the-wild-cisa-warns.html
[4] https://thecyberthrone.in/2025/03/11/cisa-kev-catalog-update-part-iii-march-2025/
[5] https://www.cyware.com/resources/threat-briefings/daily-threat-briefing/cyware-daily-threat-intelligence-march-11-2025
[6] https://cybermaterial.com/cisa-adds-new-vulnerabilities-to-kev-list/
[7] https://securityaffairs.com/175232/breaking-news/u-s-cisa-adds-advantive-veracore-and-ivanti-epm-flaws-to-its-known-exploited-vulnerabilities-catalog.html
[8] https://www.infosecurity-magazine.com/news/cisa-kev-ivanti-critical/
[9] https://www.hendryadrian.com/cisa-tags-critical-ivanti-epm-flaws-as-actively-exploited-in-attacks/
[10] https://gbhackers.com/cisa-added-3-ivanti-endpoint-manager-bugs/
[11] https://www.cisa.gov/news-events/alerts/2025/03/10/cisa-adds-five-known-exploited-vulnerabilities-catalog