Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
The vulnerability classified as CWE-36 (absolute path traversal) involves the application not properly validating file access paths, accepting absolute paths supplied by an attacker. An attacker, without any authentication, can send a specially crafted network request containing an absolute path to any file on the server. As a result, the server returns the contents of the specified file, going beyond the allowed application directory area.
An attacker can remotely and without authentication read sensitive files from the server, potentially including credentials, configuration files, or other information critical to infrastructure security.
Ivanti EPM must be immediately updated to the version with the January-2025 Security Update (for EPM 2024) or EPM 2022 SU6 January-2025 Security Update (for EPM 2022 SU6). Details are available in the official Ivanti security bulletin at the address indicated in the references.
Ivanti Endpoint Manager (EPM) in versions prior to the January 2025 security update for EPM 2024 and earlier than EPM 2022 SU6 with the January 2025 security update.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HIvanti Endpoint Manager
APPIvanti20222024< 2022
CISA KEV — detailsi
- Vendori
- Ivanti ↗
- Producti
- Endpoint Manager (EPM)
- Added to KEVi
- March 10, 2025
- Remediation deadline (US Federal)i
- March 31, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.
Related vulnerabilities
Absolute Path Traversal w Ivanti EPM — wyciek danych bez uwierzytelnienia
Absolute Path Traversal w Ivanti EPM — wyciek wrażliwych danych bez uwierzytelnienia
Stored XSS w Ivanti Endpoint Manager umożliwiający przejęcie sesji admina
Absolute Path Traversal w Ivanti Endpoint Manager — wyciek danych bez uwierzytelnienia
SQL Injection w Ivanti Endpoint Manager umożliwiający RCE bez uwierzytelnienia