What happened

CISA added CVE-2024-13161 to the Known Exploited Vulnerabilities (KEV) catalog, signaling confirmed exploitation in the wild against Ivanti Endpoint Manager (EPM) CISA KEV. The issue is an absolute path traversal flaw (CWE-36) that enables a remote, unauthenticated attacker to leak sensitive information from the EPM system NVD entry. The KEV entry specifies the addition date of 2025-03-10 and sets an agency remediation due date of 2025-03-31, elevating this to a priority patch item for federal networks CISA KEV. A canonical record for the CVE is maintained by MITRE and aligns on the vulnerability scope and identifiers MITRE CVE.

Why it matters

When an endpoint management platform discloses files to an unauthenticated network actor, the blast radius can include configuration data, service credentials, and environment details that accelerate follow-on compromise NVD entry. Absolute path traversal allows attackers to read arbitrary files by specifying absolute filesystem paths, bypassing intended access controls and exposing sensitive artifacts CWE-36. CISA’s decision to list this CVE in KEV confirms real-world exploitation pressure, which moves this from theoretical to active risk for any exposed EPM instance CISA KEV.

Technical detail

CVE-2024-13161 is categorized under CWE-36 (Absolute Path Traversal), where user-controlled input is used to construct absolute paths on the target system, enabling direct reads of files outside the intended directory scope CWE-36. According to public records, exploitation does not require authentication, enabling remote retrieval of sensitive information if the vulnerable EPM surface is reachable over the network NVD entry. The impacted product is Ivanti Endpoint Manager (EPM), as explicitly identified in the KEV entry for this CVE CISA KEV. MITRE’s CVE record corroborates the identifier and classification, serving as the canonical reference point for tracking and coordination across vendors and defenders MITRE CVE.

Absolute path traversal is distinct from relative traversal: absolute variants exploit fully qualified paths (for example, OS root-prefixed paths) rather than only directory backtracking, which can widen the scope of accessible targets if path normalization is flawed CWE-36. In practical terms, attacks manifest through crafted request parameters that are concatenated into file-handling routines, returning file contents that should never be web-accessible NVD entry.

Defense

• Patch and mitigate now: CISA mandates remediation because the vulnerability is actively exploited; follow vendor mitigations and close exposure by the KEV due date where applicable CISA KEV.
• Reduce attack surface: ensure the EPM interface is not internet-exposed; restrict access to trusted management segments and authenticated administrative channels to minimize reachable attack paths CISA KEV.
• Compensating controls: where patching is non-immediate, deploy request filtering for path traversal patterns, including absolute path tokens and encoded traversal sequences (for example, “..”, “%2e%2e”, mixed encodings), which are characteristic of CWE-36 exploitation attempts CWE-36.
• Detection and hunting: instrument web telemetry on the EPM front-end for anomalous file read responses and parameters that resolve to filesystem paths; absolute traversal frequently presents as unexpected access to configuration or system directories CWE-36. Treat any hits as potential data disclosure and initiate containment and credential hygiene if sensitive reads are confirmed NVD entry.

Lyrie Verdict

This is a textbook machine-speed exploitation path: unauthenticated, input-driven file reads are trivial for automated scanners and LLM-driven recon bots to iterate at scale across exposed EPM surfaces CWE-36. Lyrie’s autonomous defenders should enforce real-time detection on traversal tokens and abnormal file-return patterns against EPM endpoints, cross-correlating request shape, encoding variants, and response entropy to stop exfiltration in-flight NVD entry. Because CISA has validated active exploitation pressure, treat path-traversal signatures targeting EPM as priority-1 and block on first observation, not after triage CISA KEV.