cbcvebase.
CVE-2024-13161
published 2025-01-14

CVE-2024-13161: Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated…

PriorityP187high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-03-31
Exploited in the wild
EPSS
88.52%
99.8th percentile
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

Affected

3 ranges
VendorProductVersion rangeFixed in
ivantiendpoint_manager< 20222022
ivantiendpoint_manager
ivantiendpoint_manager

Detection & IOCsextracted from sources · hover to see the quote

url/WSVulnerabilityCore/VulCore.asmx
otherhttp://tempuri.org/GetHashForSingleFile
othershodan:http.favicon.hash:362091310
otherfofa:icon_hash="362091310"
  • Monitor for outbound SMB/NTLM authentication requests originating from the EPM server to external or unexpected UNC paths — this indicates credential coercion via the GetHashForSingleFile endpoint.
  • Detect unauthenticated SOAP POST requests to /WSVulnerabilityCore/VulCore.asmx with SOAPAction 'http://tempuri.org/GetHashForSingleFile' containing UNC paths (\\<host>\...) in the request body.
  • A successful exploit response will contain '<GetHashForSingleFileResponse' in the body with HTTP 200 and Content-Type text/xml — correlate with outbound DNS/SMB callbacks to detect relay attack setup.
  • Use Shodan/FOFA to identify exposed Ivanti EPM instances via favicon hash 362091310 for attack surface enumeration.
  • Proof-of-concept exploits released by Horizon3.ai can be used in relay attacks for unauthenticated coercion of the Ivanti EPM machine credentials.
  • ·NTLM credential coercion via UNC path injection can be chained into relay attacks; captured EPM machine account credentials may allow lateral movement or full domain compromise.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck9.8CRITICAL
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.