What happened

CISA added CVE-2024-13159 to the Known Exploited Vulnerabilities (KEV) catalog, signaling in-the-wild exploitation and setting a federal remediation due date of 2025-03-31 CISA KEV. The flaw affects Ivanti Endpoint Manager (EPM) and is an absolute path traversal that allows a remote, unauthenticated attacker to leak sensitive information NVD entry. The CVE is cataloged under CWE-36 (Absolute Path Traversal), aligning it with file disclosure weaknesses where user-supplied paths escape intended directories NVD entry. The identifier and baseline metadata are also tracked by MITRE’s record for CVE-2024-13159 MITRE CVE.

CISA’s KEV listing instructs organizations to apply vendor mitigations or discontinue use if mitigations aren’t available, consistent with Binding Operational Directive enforcement for known exploited issues CISA KEV. Ivanti EPM is named explicitly as the affected product in the KEV entry CISA KEV.

Why it matters

When a central management platform like EPM leaks files through absolute path traversal, attackers can harvest configuration data, credentials, and tokens that accelerate lateral movement and privilege escalation in enterprise environments NVD entry. KEV inclusion means exploitation has been observed and defenders should assume opportunistic scanning is active against exposed instances CISA KEV. Remote unauthenticated reachability removes the need for stolen accounts—minimal friction to initial access and data theft NVD entry.

Organizations that treat EPM as an internal-only service but have inadvertent exposure (e.g., misconfigured reverse proxies or perimeter gaps) face elevated risk: traversal-based file reads can quietly yield sensitive artifacts without generating noisy authentication failures CISA KEV. The CWE-36 classification underscores that exploitation typically targets file paths directly processed by the application, bypassing intended directory constraints NVD entry.

Technical detail

Absolute path traversal (CWE-36) occurs when user input controlling a filesystem path is insufficiently validated, allowing an attacker to request files outside the intended directory via absolute paths and disclose their contents if readable by the process NVD entry. For CVE-2024-13159, the KEV description states the impact plainly: a remote, unauthenticated adversary can leak sensitive information from Ivanti EPM through this path traversal condition CISA KEV. The MITRE record confirms the CVE identifier and ties it to the vulnerability class via the public CVE corpus MITRE CVE.

Typical risk profile for absolute path traversal includes exposure of application configs, service account material, and environment-level secrets when the target process has read permissions—an outcome consistent with information disclosure enumerated under CWE-36 NVD entry. Because KEV lists this CVE as exploited, defenders should expect automated probes that enumerate accessible file paths and harvest any returned data at scale CISA KEV. Where the vulnerable surface is network-reachable without authentication, exploitation requires only crafted requests to the impacted endpoint NVD entry.

Triaging suspected exploitation should focus on evidence of file disclosure via direct path requests and unusual response bodies from endpoints that normally return structured API data, paired with spikes in request variance targeting path parameters or file-handling routes NVD entry. Prioritize systems that expose EPM services beyond tightly controlled management networks, given KEV’s active exploitation signal CISA KEV.

Defense

• Patch/mitigate immediately per the vendor guidance referenced by CISA KEV; federal agencies are assigned a remediation due date of 2025-03-31 for this entry CISA KEV.
• Treat any Internet exposure of EPM as an emergency. Restrict access to management VLANs/VPNs and remove public ingress paths until patched, to reduce unauthenticated reachability consistent with the KEV description CISA KEV.
• Compensating controls: if you must keep services online during change windows, enforce allowlists at gateways and reverse proxies; scrutinize file-serving or download routes that might accept path parameters linked to the vulnerable surface NVD entry.
• Detection engineering: monitor for anomalous responses suggestive of raw file disclosure (unexpected plaintext, config fragments) on endpoints that typically serve JSON/HTML; alert on surges of requests manipulating path-like parameters and correlate with source reuse across targets NVD entry.
• Incident response: because KEV denotes confirmed exploitation, assume data theft and review logs, backups, and secrets management for exposure; rotate credentials that could have been read by the EPM process CISA KEV.

Track NVD for any updates to analysis and references associated with CVE-2024-13159 during remediation planning NVD entry, and keep the MITRE record bookmarked for canonical CVE linkage in ticketing and communications MITRE CVE.

Lyrie Verdict

Path traversal in a central management stack is prime territory for autonomous adversaries. KEV confirmation means bot-driven exploitation is already under way, harvesting whatever the service can read and pivoting with stolen secrets CISA KEV. Lyrie treats CVE-2024-13159 as a machine-speed exfil problem: we fingerprint traversal-style file disclosure at the response layer, correlate abnormal content egress with unauthenticated access to EPM endpoints, and auto-prioritize assets matching KEV entries for immediate containment NVD entry. The outcome: sub-second detection of traversal-driven data leaks and automated suppression of offending flows, so defenders aren’t racing manual triage while secrets bleed MITRE CVE.