The US cybersecurity agency CISA on Monday warned of three critical-severity vulnerabilities in Ivanti Endpoint Manager (EPM) being exploited in the wild.
The issues, tracked as CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161 (CVSS score of 9.8), are described as absolute path traversal flaws affecting EMP versions 2024 and 2022 SU6 with the November 2024 security update installed.
Ivanti released patches for the security defects in mid-January, crediting Horizon3.ai for reporting them. Roughly a month later, the cybersecurity firm released proof-of-concept (PoC) exploit code targeting the bugs.
The vulnerabilities, Horizon3.ai explained, reside in functions that attempt to read the files in specific directories to calculate their hashes, and which accept user input.
Because the input is not validated, an attacker could supply a parameter constructed so it results in a remote UNC path, coercing the EPM server to connect to that path. The attacker could then relay credentials to LDAP, add a machine account, and use it to compromise EPM.
On Monday, CISA warned that the three flaws have been exploited in attacks, adding them to its Known Exploited Vulnerabilities (KEV) catalog and urging federal agencies to patch them as soon as possible.
“Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information,” CISA warns.
Per Binding Operational Directive (BOD) 22-01, federal agencies have until March 31 to identify vulnerable Ivanti appliances in their environments and apply the available patches and mitigations.
“Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice,” CISA says.
It is worth noting that there have been no other reports of these Ivanti EPM bugs being exploited in the wild before CISA added them to KEV. In its January advisory, which it last updated on March 3, Ivanti says there is no known public exploitation for these issues.
In addition to the three Ivanti flaws, CISA on Monday added to KEV two Advantive VeraCore vulnerabilities, tracked as CVE-2024-57968 and CVE-2025-25181, which have been exploited in attacks by a Vietnamese cybercrime gang called XE Group.
Related: Edimax Camera Zero-Day Disclosed by CISA Exploited by Botnets
Related: Exploitation Long Known for Most of CISA’s Latest KEV Additions
Related: CISA Warns of Attacks Exploiting Oracle Agile PLM Vulnerability
Related: CISA Warns of Second BeyondTrust Vulnerability Exploited in Attacks