Skip to main content

Ivanti Releases January 2025 Updates for EPM

Updates address 4 critical and 12 high severity vulnerabilities

Threat ID:
CC-4606
Threat Severity:
Medium
Published:
15 January 2025 2:27 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Updates address 4 critical and 12 high severity vulnerabilities

Affected platforms

The following platforms are known to be affected:

Versions: 2024, 2022 SU6 and earlier

Ivanti Endpoint Manager

Threat details

Exploitation reported and proof-of-concept exploits are available

On 10 March 2025, the vulnerabilities CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 were added to the US Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerability Catalog based on evidence of exploitation in the wild. 

A security researcher has released a proof-of-concept (PoC) exploit for CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159.

Introduction

Ivanti has released a security advisory addressing 16 vulnerabilities affecting Endpoint Manager (EPM) products. Ivanti EPM is an all-in-one solution for managing device endpoints within a network.

Four vulnerabilities designated as CVE-2024-10811CVE-2024-13161CVE-2024-13160, and CVE-2024-13159 with a CVSSv3 score of 9.8 could allow an unauthenticated, remote attacker to leak sensitive information via path traversal.

CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 are reported as exploited in the wild and have been added to CISA's Known Exploited Vulnerability Catalog.

The other high severity vulnerabilities leading to remote code execution (RCE), privilege escalation, or denial-of-service (DoS) were also addressed.

Threat updates

Date Update
11 Mar 2025 CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 added to CISA's Known Exploited Vulnerabilities Catalog.
20 Feb 2025 Cyber Alert updated to cover the release of proof-of-concepts (PoC) for CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159.

Remediation advice

Affected organisations are encouraged to review Security Advisory EPM January 2025 for EPM 2024 and EPM 2022 SU6 and apply the relevant security updates as soon as practicable.

CVE Vulnerabilities

Status Published

CVE-2024-10811

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
Status Published

CVE-2024-13161

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
Status Published

CVE-2024-13160

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
Status Published

CVE-2024-13159

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
Status Published

CVE-2024-13158

An unbounded resource search path in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution.
Status Published

CVE-2024-13172

Improper signature verification in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.
Status Published

CVE-2024-13171

Insufficient filename validation in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required.  
Status Published

CVE-2024-13170

An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service.
Status Published

CVE-2024-13169

An out-of-bounds read in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges. 
Status Published

CVE-2024-13168

An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. 
Status Published

CVE-2024-13167

An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. 
Status Published

CVE-2024-13166

An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. 
Status Published

CVE-2024-13165

An out-of-bounds write in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to cause a denial of service. 
Status Published

CVE-2024-13164

An uninitialized resource in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a local authenticated attacker to escalate their privileges.  
Status Published

CVE-2024-13163

Deserialization of untrusted data in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to achieve remote code execution. Local user interaction is required. 
Status Published

CVE-2024-13162

SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. This CVE addresses incomplete fixes from CVE-2024-32848. 

Last edited: 11 March 2025 2:41 pm