Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
The error results from improper handling of absolute file paths (CWE-36 — absolute path traversal), which allows an attacker to escape the allowed directory and read arbitrary files on the system. The attack requires no authentication or user interaction, and access is achieved remotely over the network. This enables an attacker to read system or configuration files containing sensitive data, such as credentials.
An attacker can gain access to sensitive information stored in the system, including potentially authentication credentials, which could lead to further compromise of the environment.
Ivanti EPM must be urgently updated to the version covered by the January 2025 security update: for EPM 2024 line — January-2025 Security Update, for EPM 2022 line — SU6 January-2025 Security Update. Details are available in the vendor's announcement at: https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
Ivanti Endpoint Manager (EPM) in versions earlier than 2024 January-2025 Security Update and earlier than 2022 SU6 January-2025 Security Update.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HIvanti Endpoint Manager
APPIvanti20222024< 2022
CISA KEV — detailsi
- Vendori
- Ivanti ↗
- Producti
- Endpoint Manager (EPM)
- Added to KEVi
- March 10, 2025
- Remediation deadline (US Federal)i
- March 31, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.
Related vulnerabilities
Absolute Path Traversal w Ivanti EPM — wyciek wrażliwych danych bez uwierzytelnienia
Absolute Path Traversal w Ivanti EPM — wyciek wrażliwych danych bez uwierzytelnienia
Stored XSS w Ivanti Endpoint Manager umożliwiający przejęcie sesji admina
Absolute Path Traversal w Ivanti Endpoint Manager — wyciek danych bez uwierzytelnienia
SQL Injection w Ivanti Endpoint Manager umożliwiający RCE bez uwierzytelnienia