CVE-2024-13161
published 2025-01-14CVE-2024-13161: Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated…
PriorityP187high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-03-31
Exploited in the wild
EPSS
88.52%
99.8th percentile
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | endpoint_manager | < 2022 | 2022 |
| ivanti | endpoint_manager | — | — |
| ivanti | endpoint_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/WSVulnerabilityCore/VulCore.asmx
otherhttp://tempuri.org/GetHashForSingleFile
othershodan:http.favicon.hash:362091310
otherfofa:icon_hash="362091310"
- →Monitor for outbound SMB/NTLM authentication requests originating from the EPM server to external or unexpected UNC paths — this indicates credential coercion via the GetHashForSingleFile endpoint.
- →Detect unauthenticated SOAP POST requests to /WSVulnerabilityCore/VulCore.asmx with SOAPAction 'http://tempuri.org/GetHashForSingleFile' containing UNC paths (\\<host>\...) in the request body.
- →A successful exploit response will contain '<GetHashForSingleFileResponse' in the body with HTTP 200 and Content-Type text/xml — correlate with outbound DNS/SMB callbacks to detect relay attack setup.
- →Use Shodan/FOFA to identify exposed Ivanti EPM instances via favicon hash 362091310 for attack surface enumeration.
- →Proof-of-concept exploits released by Horizon3.ai can be used in relay attacks for unauthenticated coercion of the Ivanti EPM machine credentials. ↗
- ·NTLM credential coercion via UNC path injection can be chained into relay attacks; captured EPM machine account credentials may allow lateral movement or full domain compromise.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck9.8CRITICAL
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5fwx-95cc-hcxv: Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthent
ghsa_unreviewed·2025-01-14
CVE-2024-13161 [CRITICAL] CWE-36 GHSA-5fwx-95cc-hcxv: Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthent
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
VulnCheck
Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-13161 [CRITICAL] CWE-36 Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.
Affected: Ivanti Endpoint Manager (EPM)
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-03-11&host_type=src&vulnerability=cve-2024-13161; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-03-12&host_type=src&vu
Ivanti
Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
vendor_ivanti·2025-03-10·CVSS 9.8
CVE-2024-13161 [CRITICAL] Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.
CVE IDs: CVE-2024-13161
This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Remediation Due Date: 2025-03-31
CISA
Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
cisa·2025-03-10·CVSS 7.5
CVE-2024-13161 [HIGH] CWE-36 Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
Vulnerability: Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
Affected: Ivanti Endpoint Manager (EPM)
Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US ; https://nvd.nist.gov/vuln/detail/CVE-2024-13161
Remediation Due Date: 2025-03-31
No detection rules found.
Nuclei
Ivanti EPM - Credential Coercion Vulnerability in GetHashForSingleFile
nuclei·CVSS 7.5
CVE-2024-13161 [HIGH] Ivanti EPM - Credential Coercion Vulnerability in GetHashForSingleFile
Ivanti EPM - Credential Coercion Vulnerability in GetHashForSingleFile
A vulnerability in Ivanti Endpoint Manager (EPM) allows an unauthenticated attacker to coerce the EPM machine account credential via the GetHashForSingleFile endpoint. The vulnerability exists due to improper input validation in the wildcard parameter, allowing an attacker to specify a remote UNC path that triggers NTLM authentication.
Template:
id: CVE-2024-13161
info:
name: Ivanti EPM - Credential Coercion Vulnerability in GetHashForSingleFile
author: ritikchaddha
severity: critical
description: |
A vulnerability in Ivanti Endpoint Manager (EPM) allows an unauthenticated attacker to coerce the EPM machine account credential via the GetHashForSingleFile endpoint. The vulnerability exists due to improper input valid
Bleepingcomputer
CISA: Recently patched Ivanti EPM flaw now actively exploited
blogs_bleepingcomputer·2026-03-10·CVSS 8.6
CVE-2026-1603 [HIGH] CISA: Recently patched Ivanti EPM flaw now actively exploited
## CISA: Recently patched Ivanti EPM flaw now actively exploited
## Sergiu Gatlan
CISA flagged a high-severity Ivanti Endpoint Manager (EPM) vulnerability as actively exploited in attacks and ordered U.S. federal agencies to patch systems within three weeks.
Ivanti's EPM software is an all-in-one endpoint management solution for managing client devices across Windows, macOS, Linux, Chrome OS, and IoT platforms.
Tracked as CVE-2026-1603 , this security flaw can be exploited by remote threat actors without privileges to bypass authentication and steal credential data in low-complexity cross-site scripting attacks that require no user interaction.
Ivanti patched the vulnerability one month ago , when it released Ivanti EPM 2024 SU5, which also addresses an SQL injection flaw that allows
Bleepingcomputer
Ivanti warns of critical Endpoint Manager code execution flaw
blogs_bleepingcomputer·2025-12-09·CVSS 9.6
[CRITICAL] Ivanti warns of critical Endpoint Manager code execution flaw
## Ivanti warns of critical Endpoint Manager code execution flaw
## Sergiu Gatlan
American IT software company Ivanti warned customers today to patch a newly disclosed vulnerability in its Endpoint Manager (EPM) solution that could allow attackers to execute code remotely.
Ivanti delivers system and IT asset management solutions to over 40,000 companies via a network of more than 7,000 organizations worldwide. The company's EPM software is an all-in-one endpoint management tool for managing client devices across popular platforms, including Windows, macOS, Linux, Chrome OS, and IoT.
Tracked as CVE-2025-10573 , this critical security flaw can be exploited by remote, unauthenticated threat actors to execute arbitrary JavaScript code through low-complexity cross-site scripting attacks tha
Bleepingcomputer
CISA tags critical Ivanti EPM flaws as actively exploited in attacks
blogs_bleepingcomputer·2025-03-11·CVSS 9.8
CVE-2024-13159 [CRITICAL] CISA tags critical Ivanti EPM flaws as actively exploited in attacks
## CISA tags critical Ivanti EPM flaws as actively exploited in attacks
## Sergiu Gatlan
CISA warned U.S. federal agencies to secure their networks against attacks exploiting three critical vulnerabilities affecting Ivanti Endpoint Manager (EPM) appliances.
The three flaws ( CVE-2024-13159 , CVE-2024-13160 , and CVE-2024-13161 ) are due to absolute path traversal weaknesses that can let remote unauthenticated attackers fully compromise vulnerable servers.
They were reported in October by Horizon3.ai vulnerability researcher Zach Hanley and patched by Ivanti on January 13 . Just over a month later, Horizon3.ai also released proof-of-concept exploits that can be used in relay attacks for unauthenticated coercion of the Ivanti EPM machine credentials.
On Monday, CISA added the three vuln
Checkpoint
24th February – Threat Intelligence Report
blogs_checkpoint·2025-02-24
CVE-2025-24989 24th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 24th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 24h February, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Check Point Research covers the recent ByBit hack, one of the largest thefts in digital asset history, its implications for crypto security, and security recommendations. In this event, hackers gained access to an offline Ethereum wallet and stole $1.5 billion worth of digital assets. The attack occurred during a routine
Greynoiseio
NoiseLetter January 2025
blogs_greynoiseio
NoiseLetter January 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-13161https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/
2025-01-14
Published
2025-03-10
Added to CISA KEV
Exploited in the wild