CVE-2024-13161

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-13161
Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6 Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-13161 US Government Resource
https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/ Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:ivanti:endpoint_manager:*:-:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:-:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:su1:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:su2:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:su3:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:su4:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:su5:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:su6:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2024:-:*:*:*:*:*:*
History

24 Oct 2025, 14:48

Type Values Removed Values Added
References () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-13161 - () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-13161 - US Government Resource

21 Oct 2025, 23:16

Type Values Removed Values Added
References
  • () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-13161 -

21 Oct 2025, 20:19

Type Values Removed Values Added
References
  • {'url': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-13161', 'source': '134c704f-9b21-4f2e-91b3-4a467353bcc0'}

21 Oct 2025, 19:20

Type Values Removed Values Added
References
  • () https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-13161 -

13 Mar 2025, 15:37

Type Values Removed Values Added
References () https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6 - () https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6 - Vendor Advisory
References () https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/ - () https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/ - Exploit, Third Party Advisory
First Time Ivanti
Ivanti endpoint Manager
CPE cpe:2.3:a:ivanti:endpoint_manager:2024:-:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:su2:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:su1:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:su6:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:*:-:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:su4:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:su3:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:su5:*:*:*:*:*:*
cpe:2.3:a:ivanti:endpoint_manager:2022:-:*:*:*:*:*:*

21 Feb 2025, 15:15

Type Values Removed Values Added
References
  • () https://www.horizon3.ai/attack-research/attack-blogs/ivanti-endpoint-manager-multiple-credential-coercion-vulnerabilities/ -
Summary
  • (es) Absolute Path Traversal en Ivanti EPM antes de la actualización de seguridad de enero de 2024-2025 y la actualización de seguridad de enero de 2022 SU6 permite que un atacante remoto no autenticado filtre información confidencial.

14 Jan 2025, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-01-14 18:15

Updated : 2025-10-24 14:48

NVD link : CVE-2024-13161

Mitre link : CVE-2024-13161

CVE.ORG link : CVE-2024-13161

JSON object : View

Products Affected

ivanti

  • endpoint_manager
CWE
CWE-36

Absolute Path Traversal