CVE-2024-13161 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-01-14

Added to CISA KEV: 2025-03-10 55 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Apply January 2025 security updates immediately: 2024 January-2025 Security Update or 2022 SU6 January-2025 Security Update
Block external access to EPM console until patching is complete
Monitor web server logs for suspicious path traversal attempts (../, absolute paths, etc.)
Review file system access logs for unauthorized file access
Implement network segmentation to limit EPM exposure
Patch priority: EMERGENCY - patch within 24-48 hours due to active exploitation

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2024-13161 is a critical security vulnerability affecting Ivanti Endpoint Manager (EPM) ^[3]. Below is a summary of the known details regarding this vulnerability.

Vulnerability Overview

Type: Absolute path traversal ^[3].
Impact: Successful exploitation allows a remote, unauthenticated attacker to leak sensitive information ^[5]. Additionally, it has been noted that the vulnerability can be used to coerce the EPM machine account credential via `GetHashForSingleFile` ^[1].
Exploitation: The attack is remote and does not require authentication or user interaction ^[3].

Exploitation and Threat Activity

Active Exploitation: There have been reports of active exploitation of vulnerabilities in Ivanti EPM, including CVE-2024-13161, in the wild ^[2].
Targeted Attacks/Ransomware: While specific details on individual ransomware campaigns are often proprietary to threat intelligence firms, the nature of this vulnerability (unauthenticated remote access/credential coercion) makes it a high-value target for initial access in broader cyberattacks.
Proof-of-Concept: Detection templates for this vulnerability are publicly available, such as those provided by the Nuclei project, which are commonly used by both security researchers and threat actors to identify vulnerable systems ^[1].

Affected Versions and Mitigation

Affected Versions: Ivanti EPM versions prior to the "2024 January-2025 Security Update" and "2022 SU6 January-2025 Security Update" ^[4].
Status: Ivanti released security updates in January 2025 to address this issue ^[4]. Organizations using affected versions are strongly advised to apply the January 2025 security updates immediately to mitigate the risk of exploitation ^[2].

Sources

CVE-2024-13161.yaml - nuclei-templates - GitHub
A vulnerability in Ivanti Endpoint Manager (EPM) allows an unauthenticated attacker to coerce the EPM machine account credential via the GetHashForSingleFile ...
Active Exploitation of Critical Vulnerabilities in Ivanti Endpoint ...
Ivanti has released updates addressing critical vulnerabilities (CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161) in Ivanti Endpoint Manager ...
CVE-2024-13161 Detail - NVD
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated ... Secure .gov websites use HTTPS A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on…
Security Advisory EPM January 2025 for EPM 2024 and EPM 2022 ...
Vulnerability Details ; CVE-2024-13159. Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January- ...
CVE-2024-13161 — Ivanti Endpoint Manager (EPM) Absolute Path Traversal ...
Summary Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.