What happened

CISA added Ivanti Endpoint Manager (EPM) CVE-2024-13160 to the Known Exploited Vulnerabilities catalog on 2025-03-10, signaling confirmed in-the-wild exploitation and a federal remediation due date of 2025-03-31 CISA KEV. The entry describes an absolute path traversal that enables a remote, unauthenticated attacker to leak sensitive information from affected EPM instances CISA KEV. The vulnerability is tracked as CWE-36 (Absolute Path Traversal) in the National Vulnerability Database and is documented by NIST as CVE-2024-13160 NVD entry. A corresponding CVE record is also published by MITRE, confirming the identifier and affected product family MITRE CVE record.

CISA’s required action for KEV-listed issues is to apply vendor mitigations or discontinue use if mitigations are unavailable, aligning with federal directive timelines for urgent risk reduction CISA KEV. The key risk element here is unauthenticated, remote access to sensitive files via path traversal, which elevates the impact beyond ordinary local-only file disclosure flaws NVD entry.

Why it matters

A path traversal that does not require authentication enables data theft at initial contact—no valid credentials, no foothold, just direct read access where the application exposes a file path surface NVD entry. When the target is endpoint management infrastructure, exposed data can plausibly include configuration or operational artifacts that adversaries repurpose for follow-on compromise, privilege escalation, or lateral movement in enterprise environments NVD entry. The KEV designation indicates real adversaries are already capitalizing on this exposure, making laggard patch cycles particularly risky CISA KEV.

Absolute path traversal (CWE-36) flaws are routinely automated in scanning and exploitation toolchains because they are straightforward to probe and can rapidly yield high-value secrets when present NVD entry. With exploitation confirmed by CISA, defenders should treat EPM instances as priority assets for urgent remediation and verification of data exposure CISA KEV.

Technical detail

CVE-2024-13160 is categorized as CWE-36, Absolute Path Traversal, where user-controlled input is used to construct a filesystem path that the application resolves from a filesystem root rather than a constrained directory NVD entry. In such flaws, an attacker manipulates a path parameter (for example by using absolute paths or encoded traversal sequences) so the application returns arbitrary files for which the underlying process has read permission NVD entry. Because this CVE is explicitly remote and unauthenticated, exploitation requires only network reachability to the vulnerable interface and knowledge (or discovery) of a file path vector exposed by the application MITRE CVE record.

By design, absolute path traversal differs from relative traversal in that the attacker supplies a root-anchored path, bypassing directory confinement logic that might have limited relative references; if input validation is insufficient, the application can disclose files outside its intended content directory NVD entry. Typical attacker goals for file disclosure include harvesting secrets, configuration, logs, or other metadata that accelerate subsequent intrusion stages NVD entry. The KEV listing confirms this primitive is being used operationally, which aligns with the low-complexity, high-payoff profile of unauthenticated path traversal bugs CISA KEV.

Defense

• Patch and mitigate on an emergency timeline. CISA mandates remediation for KEV entries by the specified due date, or discontinuation if fixes are unavailable; follow vendor guidance immediately CISA KEV.
• Reduce exposure surface. Restrict network access to EPM management interfaces to administrative segments and trusted paths; do not expose management endpoints broadly NVD entry.
• Apply request filtering where feasible. At reverse proxies or WAFs, enforce strict allowlists for file-serving routes and block traversal patterns known to be abused in CWE-36 issues (e.g., encoded directory escapes) NVD entry.
• Monitor for exploitation indicators. Look for unusual file-access patterns by the EPM web/application service, anomalous spikes in 200-responses on static paths, and request parameters resembling path tokens used in traversal attacks NVD entry.
• Assume data exposure until proven otherwise. If a vulnerable instance was reachable, treat configuration and embedded secrets as potentially compromised and rotate accordingly, then reissue tokens/keys CISA KEV.
• Validate after remediation. Re-test the specific file path surfaces implicated by traversal categories to confirm the flaw is closed and that authorization and input validation are enforced MITRE CVE record.

Lyrie Verdict

CVE-2024-13160 is a high-utility, low-friction primitive: unauthenticated file reads over the network are trivial for automated adversaries to discover and exploit at scale NVD entry. Because CISA has confirmed active exploitation, organizations must assume indiscriminate scanning is underway and prioritize immediate mitigation CISA KEV.

For anti-rogue-AI defense at machine speed, Lyrie treats path-traversal exposures as a first-class signal. Our autonomous detectors continuously probe externally reachable and intra-org management paths for CWE-36 behaviors (unsafe file path parameters returning out-of-scope content) and flag anomalous response patterns in real time NVD entry. When a traversal signature trips, Lyrie auto-prioritizes the asset using KEV context, isolates the interface, and orchestrates credential and token rotation workflows to blunt follow-on compromise CISA KEV. This is the required posture: autonomous detection and response that doesn’t wait for human reaction time when unmanaged file disclosure is in the wild.