CVE-2024-13161 – This vulnerability allows remote unauthenticate... (How to Fix)

Q: What is the severity of CVE-2024-13161?

CVE-2024-13161 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote unauthenticated attackers to perform absolute path traversal attacks on Ivanti Endpoint Manager (EPM) systems, potentially leaking sensitive information like credentials and configuration files. It affects all Ivanti EPM deployments before the January 2025 security updates.

📋 TL;DR

This vulnerability allows remote unauthenticated attackers to perform absolute path traversal attacks on Ivanti Endpoint Manager (EPM) systems, potentially leaking sensitive information like credentials and configuration files. It affects all Ivanti EPM deployments before the January 2025 security updates.

💻 Affected Systems

Products:

Ivanti Endpoint Manager

Versions: EPM 2024 before January 2025 Security Update, EPM 2022 SU6 before January 2025 Security Update

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. The EPM server component is affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through credential theft leading to domain takeover, lateral movement, and data exfiltration.

🟠

Likely Case

Sensitive information disclosure including administrative credentials, configuration files, and system information that enables further attacks.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external access to EPM interfaces.

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation makes internet-facing systems extremely vulnerable.

🏢 Internal Only: HIGH - Even internal systems are vulnerable to network-accessible attackers without authentication.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial with public proof-of-concept code available. CISA confirms active exploitation in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: EPM 2024 January 2025 Security Update, EPM 2022 SU6 January 2025 Security Update

Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6

Restart Required: Yes

Instructions:

1. Download the security update from Ivanti portal. 2. Apply the update to all EPM servers. 3. Restart the EPM services. 4. Verify the patch is applied successfully.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to EPM servers to only trusted administrative networks

Firewall Rules

all

Block external access to EPM web interfaces and management ports

🧯 If You Can't Patch

Immediately isolate EPM servers from internet and untrusted networks
Implement strict network access controls and monitor for suspicious file access patterns

🔍 How to Verify

Check if Vulnerable:

Check EPM version against affected versions. Test with path traversal payloads to sensitive files.

Check Version:

Check EPM console or server properties for version information

Verify Fix Applied:

Verify EPM version shows the January 2025 security update applied. Test that path traversal attempts now fail.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in EPM logs
Multiple failed path traversal attempts
Access to sensitive configuration files

Network Indicators:

HTTP requests with ../ patterns to EPM servers
Unusual outbound connections from EPM servers

SIEM Query:

source="epm_logs" AND ("..\\" OR "../" OR "absolute path")

📊 Metadata

CVE ID: CVE-2024-13161

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-36

EPSS Score: 89.6% exploit probability (99.5th percentile)

CISA KEV: Actively Exploited added Mar 10, 2025

Published: January 14, 2025

Last Updated: October 24, 2025

🔗 References

https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6 Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-13161 US Government Resource
https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13161, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Endpoint Manager by Ivanti

Endpoint Manager by Ivanti

Endpoint Manager by Ivanti

Endpoint Manager by Ivanti

Endpoint Manager by Ivanti

Endpoint Manager by Ivanti

Endpoint Manager by Ivanti

Endpoint Manager by Ivanti

Endpoint Manager by Ivanti

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Firewall Rules

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities