CVE-2024-13159
📋 TL;DR
CVE-2024-13159 is an absolute path traversal vulnerability in Ivanti Endpoint Manager (EPM) that allows remote unauthenticated attackers to access sensitive files on the server. This affects Ivanti EPM 2024 and 2022 SU6 versions before the January 2025 security updates. Attackers can exploit this to leak credentials, configuration files, and other sensitive information.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the EPM server with credential theft leading to domain-wide lateral movement and privilege escalation across managed endpoints.
Likely Case
Credential harvesting from configuration files leading to limited lateral movement within the network and potential endpoint compromise.
If Mitigated
Limited information disclosure if proper network segmentation and access controls prevent lateral movement from compromised EPM server.
🎯 Exploit Status
Exploitation is trivial with publicly available proof-of-concept code. CISA has confirmed active exploitation in the wild.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: EPM 2024 January 2025 Security Update or EPM 2022 SU6 January 2025 Security Update
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
Restart Required: Yes
Instructions:
1. Download the appropriate security update from Ivanti's support portal. 2. Backup your EPM database and configuration. 3. Apply the security update following Ivanti's installation guide. 4. Restart the EPM services or server as required.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to EPM servers to only trusted administrative networks
Web Application Firewall Rules
allImplement WAF rules to block path traversal patterns in HTTP requests
🧯 If You Can't Patch
- Immediately isolate EPM servers from internet access and restrict internal access to only necessary administrative networks
- Implement strict monitoring and alerting for any access to EPM web interfaces and review logs for path traversal attempts
🔍 How to Verify
Check if Vulnerable:
Check EPM version in the web interface or via the EPM console. If version is before the January 2025 security updates, the system is vulnerable.Check Version:
In EPM web interface: Navigate to Help > About. Or check the EPM installation directory for version information.Verify Fix Applied:
Verify the installed version shows the January 2025 security update applied. Test with known exploit attempts to confirm they are blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '../' patterns to EPM web interface
- Access to sensitive file paths from unusual IP addresses
- Failed authentication attempts followed by path traversal attempts
Network Indicators:
- HTTP requests with encoded path traversal sequences to EPM ports (typically 443, 8443)
- Unusual outbound connections from EPM server after exploitation
SIEM Query:
source="epm_web_logs" AND (uri="*..%2f*" OR uri="*../*" OR uri="*%2e%2e%2f*")🔗 References
- https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-13159
- https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/
