The US Cybersecurity and Infrastructure Security Agency (CISA) has flagged three newly discovered Ivanti Endpoint Manager (EPM) vulnerabilities—CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161—to its Known Exploited Vulnerabilities (KEV) Catalog, warning federal agencies and entities of active exploitation attempts.
The flaws stem from absolute path traversal weaknesses that allow remote, unauthenticated attackers to fully compromise vulnerable Ivanti EPM servers. The vulnerabilities were first reported in October 2023 by Horizon3.ai researcher Zach Hanley and patched by Ivanti on 13 January.
However, just over a month later, Horizon3.ai released proof-of-concept (PoC) exploits demonstrating how these vulnerabilities could be used in relay attacks to coerce Ivanti EPM machine credentials without authentication, raising the stakes for organizations yet to apply patches.
With their addition to the KEV Catalog, Federal Civilian Executive Branch (FCEB) agencies are now required to address these flaws by 31 March 2025, in accordance with Binding Operational Directive (BOD) 22-01. The directive mandates swift remediation of actively exploited vulnerabilities to reduce the risk of cyberattacks on federal networks.
Although BOD 22-01 applies specifically to FCEB agencies, CISA urges all firms to prioritize patching these vulnerabilities to minimize exposure to known threats.
The three Ivanti vulnerabilities were added alongside two others affecting Advantive VeraCore as part of CISA’s latest update to the KEV Catalog.
Clear and Present Dangers
Chris Gray, Field CTO at Deepwatch, says the dangers in not patching these flaws are clear. “We have all seen the movie: The guy in the hockey mask is armed, and at your door, the lock is broken, and your family/friends are helplessly standing at your side. Are you hoping that they’ll pick someone else?
“These flaws are known, and exploits are present,” Gray continues. “Anyone with affected systems should, as CISA and others have previously said, patch them immediately. In addition, it would be wise to consider them to have already been compromised. Actions should be taken to look for any behavior that maps to published IOCs, going back to the published dates of the CVEs in 2024 if possible.”
Ivanti has a significant market share with over 400,000 companies using their VPN, ICS, IPS, and ZTA platforms, Gray adds. “This size and the nature of their products are why they are being so heavily targeted. Malicious actors seek targets of opportunity, and the larger the target population, the more likely that there will be unpatched systems. A critical aspect of effective vulnerability management is tied to threat exposure. Not only are these platforms, by their very nature, exposed to the cutting edge of compromise, they are also popular enough to be popular odds.”
Weaponizing Flaws
Heath Renfrow, CISO and Co-founder at Fenix24 says the three vulnerabilities are particularly concerning due to their ability to grant remote, unauthenticated attackers full compromise of vulnerable servers. “Given the recent history of Ivanti vulnerabilities, this latest development underscores the importance of rapid patching and continuous hardening to mitigate risk.
“We’ve seen firsthand how adversaries quickly weaponize these types of flaws, particularly when proof-of-concept (PoC) exploits are made public. Organizations that delay patching are at risk of full domain compromise, credential theft, and lateral movement by threat actors who capitalize on exposed systems,” Renfrow adds. “These vulnerabilities further contribute to the broader pattern of Ivanti-related security challenges over the past year, making it clear that proactive security measures—not just reactive patching—are essential.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.