cbcvebase.
CVE-2024-13160
published 2025-01-14

CVE-2024-13160: Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated…

PriorityP187high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-03-31
Exploited in the wild
EPSS
89.74%
99.8th percentile
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

Affected

3 ranges
VendorProductVersion rangeFixed in
ivantiendpoint_manager< 20222022
ivantiendpoint_manager
ivantiendpoint_manager

Detection & IOCsextracted from sources · hover to see the quote

url/WSVulnerabilityCore/VulCore.asmx
otherhttp://tempuri.org/GetHashForWildcard
otherGetHashForWildcardResponse
othershodan:http.favicon.hash:362091310
otherfofa:icon_hash="362091310"
  • The vulnerable endpoint is /WSVulnerabilityCore/VulCore.asmx; exploit traffic is a POST request with Content-Type: text/xml and SOAPAction http://tempuri.org/GetHashForWildcard containing a UNC path (\\<attacker-host>\...) in the wildcard parameter to coerce NTLM authentication.
  • Exploitation triggers outbound DNS/SMB (NTLM) traffic from the EPM server to an attacker-controlled host; monitor for unexpected outbound UNC/SMB connections originating from the EPM machine account.
  • Successful exploitation produces an HTTP 200 response with Content-Type: text/xml containing the string <GetHashForWildcardResponse; use this as a detection signature in proxy/WAF logs.
  • Ivanti EPM internet-facing instances can be fingerprinted via Shodan favicon hash 362091310 or FOFA icon_hash="362091310" to identify exposed attack surface.
  • Public proof-of-concept exploits for relay attacks (unauthenticated NTLM credential coercion) were released by Horizon3.ai; treat any POST to GetHashForWildcard with a UNC wildcard parameter as high-confidence malicious activity.
  • ·Vulnerable versions are Ivanti EPM prior to the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update; patched versions are not vulnerable.
  • ·The Nuclei template uses an interactsh out-of-band callback to confirm exploitation (DNS interaction); detection without OOB infrastructure should rely on request/response content matching instead.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck9.8CRITICAL
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.