CVE-2024-13159: 
Ivanti Endpoint Manager vulnerability analysis and mitigation

Ivanti Endpoint Manager (EPM) was found to contain an absolute path traversal vulnerability (CVE-2024-13159) that affects versions before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update. The vulnerability was discovered in October 2024 and was officially patched in January 2025. This security flaw allows remote unauthenticated attackers to leak sensitive information through path traversal attacks (CVE Details, CISA Alert).

The vulnerability exists in the C:\Program Files\LANDesk\ManagementSuite\WSVulnerabilityCore.dll component, specifically within the LANDesk.ManamgementSuite.WSVulnerabilityCore namespace. The issue lies in the GetHashForWildcardRecursive() method, which accepts a string argument called wildcard that is passed to HashCalculator.GetHashForWildcardRecursive(). The vulnerability stems from insufficient input validation, allowing the wildcard parameter to be constructed in a way that results in the rootPath being a remote UNC path (Horizon3).

The vulnerability enables an unauthenticated attacker to coerce the Ivanti EPM machine account credential to be used in relay attacks, potentially leading to server compromise. This could result in the exposure of sensitive information and potentially full system compromise. The severity of this issue is highlighted by its inclusion in CISA's Known Exploited Vulnerabilities Catalog, indicating active exploitation in the wild (CISA Alert).

Organizations should immediately apply the January 2025 Security Update released by Ivanti to address this vulnerability. This patch is available for both EPM 2024 and EPM 2022 SU6 versions. CISA strongly urges all organizations to prioritize timely remediation of this vulnerability as part of their vulnerability management practice (CISA Alert).