CVE-2024-13159

CRITICAL
2025-01-14 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 28, 2026 - 18:03 vuln.today
Added to CISA KEV
Oct 24, 2025 - 14:48 cisa
CISA KEV
PoC Detected
Oct 24, 2025 - 14:48 vuln.today
Public exploit code
CVE Published
Jan 14, 2025 - 18:15 nvd
CRITICAL 9.8

Tags

Ivanti Path Traversal Endpoint Manager

Description

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

Analysis

Ivanti Endpoint Manager contains an absolute path traversal vulnerability allowing unauthenticated remote attackers to leak sensitive information from the EPM server, one of three related Ivanti EPM path traversal CVEs.

Technical Context

The CWE-36 absolute path traversal allows crafted requests to read files outside the intended directory. The three related CVEs (CVE-2024-13159, -13160, -13161) provide multiple exploitation paths for the same class of vulnerability.

Affected Products

['Ivanti EPM before 2024 January-2025 Security Update', 'Ivanti EPM 2022 SU6 before January-2025 Security Update']

Remediation

Apply Ivanti EPM security updates. Rotate all credentials stored on the EPM server. Restrict network access to EPM management interfaces.

Priority Score

213
Low Medium High Critical
KEV: +50
EPSS: +94.2
CVSS: +49
POC: +20

Share

CVE-2024-13159 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy