Ivanti reports multiple critical security flaws in Endpoint Manager (EPM)
Take action: If you are using Ivanti EPM, one more time for an urgent patch. One doesn't know if it's a good thing or a bad thing that they are reporting and fixing so many critical flaws. At any rate, review if you can isolate EPM from the internet to give yourself some breathing room. Or just start patching immediately.
Learn More
Ivanti is reporting multiple critical security vulnerabilities affecting Endpoint Manager (EPM). These vulnerabilities were discovered and reported by Horizon3.ai security researcher Zach Hanley.
Four critical vulnerabilities have been identified in EPM:
- CVE-2024-10811 (CVSS score: 9.8) - An absolute path traversal vulnerability allowing unauthenticated remote attackers to access sensitive information
- CVE-2024-13161 (CVSS score: 9.8) - An absolute path traversal vulnerability allowing unauthenticated remote attackers to access sensitive information
- CVE-2024-13160 (CVSS score: 9.8) - An absolute path traversal vulnerability allowing unauthenticated remote attackers to access sensitive information
- CVE-2024-13159 (CVSS score: 9.8) - An absolute path traversal vulnerability allowing unauthenticated remote attackers to access sensitive information
Update - as of 20th of February 2025, a proof-of-concept (PoC) was published by Horizon.ai that demonstrates how attackers can use these vulnerabilities to achieve full domain compromise. Accessible on GitHub specifically the CVE-2024-13159 PoC.
Affected versions include:
- EPM 2024 November security update and prior versions
- EPM 2022 SU6 November security update and prior versions
Remediation is available through the following patches:
- EPM 2024 January-2025 Security Update
- EPM 2022 SU6 January-2025 Security Update
Ivanti has stated that there is no evidence of these vulnerabilities being exploited in the wild. The company has also enhanced its internal security scanning and testing procedures to improve vulnerability detection and response.
