Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
The error consists of improper validation of file paths (CWE-36, CWE-22) — an attacker can provide an absolute path to a file on the server, bypassing the application's working directory restrictions. The request is executed without any authentication, making the attack available to anyone with network connectivity to the EPM server. As a result, it is possible to read files outside the intended application directories.
An attacker can disclose sensitive information stored on the server, such as configuration data, credentials, or other system files accessible to the server process.
Update Ivanti EPM to the version containing the January-2025 security update (for EPM 2024 line or EPM 2022 SU6). Detailed instructions are available in the official vendor statement at forums.ivanti.com. Until the patch is deployed, it is recommended to restrict network access to the EPM server only to trusted hosts.
Ivanti Endpoint Manager (EPM) in versions prior to the January-2025 security update for EPM 2024 and prior to the January-2025 security update for EPM 2022 SU6.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HIvanti Endpoint Manager
APPIvanti20222024< 2022
Related vulnerabilities
Absolute Path Traversal w Ivanti EPM — wyciek danych bez uwierzytelnienia
Absolute Path Traversal w Ivanti EPM — wyciek wrażliwych danych bez uwierzytelnienia
Absolute Path Traversal w Ivanti EPM — wyciek wrażliwych danych bez uwierzytelnienia
Stored XSS w Ivanti Endpoint Manager umożliwiający przejęcie sesji admina
SQL Injection w Ivanti Endpoint Manager umożliwiający RCE bez uwierzytelnienia