CVE-2024-13159
published 2025-01-14CVE-2024-13159: Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated…
PriorityP188high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-03-31
Exploited in the wild
EPSS
99.76%
100.0th percentile
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | endpoint_manager | < 2022 | 2022 |
| ivanti | endpoint_manager | — | — |
| ivanti | endpoint_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /WSVulnerabilityCore/VulCore.asmx HTTP/1.1
otherhttp.favicon.hash:362091310
othericon_hash="362091310"
bytes
|3c|wildcard|3e 5c 5c 5c 5c|
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti EPM Absolute Path Traversal (CVE-2024-13159)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/WSVulnerabilityCore/VulCore.asmx"; fast_pattern; http.header; to_lowercase; content:"soapaction|3a 20|"; content:"gethashforwildcardrecursive"; distance:0; http.request_body; content:"|3c|wildcard|3e 5c 5c 5c 5c|"; reference:url,www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/; reference:cve,2024-13159; classtype:web-application-attack; sid:2060232; rev:1; metadata:affected_product Ivanti, attack_target Server, created_at 2025_02_20, cve CVE_2024_13159, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_02_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit targets the GetHashForWildcardRecursive SOAP endpoint via POST to /WSVulnerabilityCore/VulCore.asmx with a UNC path in the wildcard parameter to coerce NTLM authentication from the EPM server. ↗
- →Detect exploit attempts by matching HTTP POST to /WSVulnerabilityCore/VulCore.asmx with SOAPAction header containing 'gethashforwildcardrecursive' and request body containing the wildcard element with UNC path prefix (\\).
- →Use out-of-band (OOB) DNS interaction detection (e.g., interactsh) to confirm successful NTLM coercion — a DNS callback from the EPM server to an attacker-controlled host indicates exploitation.
- →Proof-of-concept exploits released by Horizon3.ai can be used in relay attacks for unauthenticated coercion of Ivanti EPM machine credentials. ↗
- ·The Nuclei template uses a randomized filename variable (rand_text_alpha) and an interactsh callback URL as the UNC target, meaning no static IOC for the UNC path itself is available — detection must rely on the structural pattern of the SOAP request body.
- ·The Snort rule (sid:2060232) is scoped to both Perimeter and Internal deployment, reflecting that the attacker requires no authentication and can reach the endpoint from external networks.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck9.8CRITICAL
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6v62-48r8-7wh2: Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthent
ghsa_unreviewed·2025-01-14
CVE-2024-13159 [CRITICAL] CWE-36 GHSA-6v62-48r8-7wh2: Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthent
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
VulnCheck
Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-13159 [CRITICAL] CWE-36 Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.
Affected: Ivanti Endpoint Manager (EPM)
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-03-11&host_type=src&vulnerability=cve-2024-13159; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-03-12&host_type=src&vu
CISA
Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
cisa·2025-03-10·CVSS 7.5
CVE-2024-13159 [HIGH] CWE-36 Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
Vulnerability: Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
Affected: Ivanti Endpoint Manager (EPM)
Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US ; https://nvd.nist.gov/vuln/detail/CVE-2024-13159
Remediation Due Date: 2025-03-31
Ivanti
Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
vendor_ivanti·2025-03-10·CVSS 9.8
CVE-2024-13159 [CRITICAL] Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.
CVE IDs: CVE-2024-13159
This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Remediation Due Date: 2025-03-31
Suricata
ET WEB_SPECIFIC_APPS Ivanti EPM Absolute Path Traversal (CVE-2024-13159)
suricata·2025-02-20·CVSS 9.8
CVE-2024-13159 [CRITICAL] ET WEB_SPECIFIC_APPS Ivanti EPM Absolute Path Traversal (CVE-2024-13159)
ET WEB_SPECIFIC_APPS Ivanti EPM Absolute Path Traversal (CVE-2024-13159)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti EPM Absolute Path Traversal (CVE-2024-13159)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/WSVulnerabilityCore/VulCore.asmx"; fast_pattern; http.header; to_lowercase; content:"soapaction|3a 20|"; content:"gethashforwildcardrecursive"; distance:0; http.request_body; content:"|3c|wildcard|3e 5c 5c 5c 5c|"; reference:url,www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/; reference:cve,2024-13159; classtype:web-application-attack; sid:2060232; rev:1; metadata:affected_product Ivanti, attack_target Server, created_at 2025_02_20, cve CVE_2024
Nuclei
Ivanti EPM - Credential Coercion Vulnerability in GetHashForWildcardRecursive
nuclei·CVSS 7.5
CVE-2024-13159 [HIGH] Ivanti EPM - Credential Coercion Vulnerability in GetHashForWildcardRecursive
Ivanti EPM - Credential Coercion Vulnerability in GetHashForWildcardRecursive
A vulnerability in Ivanti Endpoint Manager (EPM) allows an unauthenticated attacker to coerce the EPM machine account credential via the GetHashForWildcardRecursive endpoint. The vulnerability exists due to improper input validation in the wildcard parameter, allowing an attacker to specify a remote UNC path that triggers NTLM authentication.
Template:
id: CVE-2024-13159
info:
name: Ivanti EPM - Credential Coercion Vulnerability in GetHashForWildcardRecursive
author: ritikchaddha
severity: critical
description: |
A vulnerability in Ivanti Endpoint Manager (EPM) allows an unauthenticated attacker to coerce the EPM machine account credential via the GetHashForWildcardRecursive endpoint. The vulnerability exists
Bleepingcomputer
CISA: Recently patched Ivanti EPM flaw now actively exploited
blogs_bleepingcomputer·2026-03-10·CVSS 8.6
CVE-2026-1603 [HIGH] CISA: Recently patched Ivanti EPM flaw now actively exploited
## CISA: Recently patched Ivanti EPM flaw now actively exploited
## Sergiu Gatlan
CISA flagged a high-severity Ivanti Endpoint Manager (EPM) vulnerability as actively exploited in attacks and ordered U.S. federal agencies to patch systems within three weeks.
Ivanti's EPM software is an all-in-one endpoint management solution for managing client devices across Windows, macOS, Linux, Chrome OS, and IoT platforms.
Tracked as CVE-2026-1603 , this security flaw can be exploited by remote threat actors without privileges to bypass authentication and steal credential data in low-complexity cross-site scripting attacks that require no user interaction.
Ivanti patched the vulnerability one month ago , when it released Ivanti EPM 2024 SU5, which also addresses an SQL injection flaw that allows
Bleepingcomputer
Ivanti warns of critical Endpoint Manager code execution flaw
blogs_bleepingcomputer·2025-12-09·CVSS 9.6
[CRITICAL] Ivanti warns of critical Endpoint Manager code execution flaw
## Ivanti warns of critical Endpoint Manager code execution flaw
## Sergiu Gatlan
American IT software company Ivanti warned customers today to patch a newly disclosed vulnerability in its Endpoint Manager (EPM) solution that could allow attackers to execute code remotely.
Ivanti delivers system and IT asset management solutions to over 40,000 companies via a network of more than 7,000 organizations worldwide. The company's EPM software is an all-in-one endpoint management tool for managing client devices across popular platforms, including Windows, macOS, Linux, Chrome OS, and IoT.
Tracked as CVE-2025-10573 , this critical security flaw can be exploited by remote, unauthenticated threat actors to execute arbitrary JavaScript code through low-complexity cross-site scripting attacks tha
Bleepingcomputer
CISA tags critical Ivanti EPM flaws as actively exploited in attacks
blogs_bleepingcomputer·2025-03-11·CVSS 9.8
CVE-2024-13159 [CRITICAL] CISA tags critical Ivanti EPM flaws as actively exploited in attacks
## CISA tags critical Ivanti EPM flaws as actively exploited in attacks
## Sergiu Gatlan
CISA warned U.S. federal agencies to secure their networks against attacks exploiting three critical vulnerabilities affecting Ivanti Endpoint Manager (EPM) appliances.
The three flaws ( CVE-2024-13159 , CVE-2024-13160 , and CVE-2024-13161 ) are due to absolute path traversal weaknesses that can let remote unauthenticated attackers fully compromise vulnerable servers.
They were reported in October by Horizon3.ai vulnerability researcher Zach Hanley and patched by Ivanti on January 13 . Just over a month later, Horizon3.ai also released proof-of-concept exploits that can be used in relay attacks for unauthenticated coercion of the Ivanti EPM machine credentials.
On Monday, CISA added the three vuln
Checkpoint
24th February – Threat Intelligence Report
blogs_checkpoint·2025-02-24
CVE-2025-24989 24th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 24th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 24h February, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Check Point Research covers the recent ByBit hack, one of the largest thefts in digital asset history, its implications for crypto security, and security recommendations. In this event, hackers gained access to an offline Ethereum wallet and stole $1.5 billion worth of digital assets. The attack occurred during a routine
Greynoiseio
NoiseLetter January 2025
blogs_greynoiseio
NoiseLetter January 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-13159https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/
2025-01-14
Published
2025-03-10
Added to CISA KEV
Exploited in the wild