CISA Added 3 Ivanti Endpoint Manager Bugs to Wildly Exploited Vulnerabilities Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog with the addition of three high-risk security flaws affecting Ivanti Endpoint Manager (EPM).

These vulnerabilities, which involve absolute path traversal issues, have been observed being actively exploited in the wild, prompting federal agencies and organizations to implement remediation measures before the deadline.

Critical Path Traversal Vulnerabilities Expose Sensitive Information

The three newly cataloged vulnerabilities CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161 share similar characteristics and impact vectors.

All three are classified as absolute path traversal vulnerabilities (CWE-36) that enable remote, unauthenticated attackers to access and exfiltrate sensitive information from affected systems.

These vulnerabilities represent significant security risks as they require no authentication, providing attackers with a straightforward vector to compromise organizational data.

Absolute path traversal vulnerabilities occur when applications fail to properly validate or sanitize user-supplied input that specifies a file path.

In this case, the flaws in Ivanti EPM allow attackers to navigate directory structures outside of intended boundaries, potentially accessing configuration files, credentials, or other sensitive information stored on the system.

Broader Context of Recent CISA Catalog Updates

The Ivanti EPM vulnerabilities were not the only additions to CISA’s KEV catalog in recent updates.

The agency also added other critical vulnerabilities, including two affecting Advantive VeraCore a SQL injection vulnerability (CVE-2025-25181) and an unrestricted file upload vulnerability (CVE-2024-57968).

Earlier in March, vulnerabilities in VMware’s ESXi and Workstation products were also cataloged, highlighting the diverse range of enterprise systems currently facing exploitation.

Federal agencies governed by Binding Operational Directive (BOD) 22-01 are required to apply vendor-provided patches or implement appropriate mitigations for the Ivanti EPM vulnerabilities by March 31, 2025.

Private organizations are strongly encouraged to prioritize these vulnerabilities in their remediation workflows.

CISA’s guidance for all cataloged vulnerabilities follows a consistent pattern: “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable”.

For organizations unable to immediately patch, temporary isolation of affected systems may be necessary while remediation plans are developed.

Organizations should monitor for indicators of compromise related to these vulnerabilities while implementing patches.

The KEV catalog serves as an authoritative source for prioritizing vulnerability management efforts, helping security teams keep pace with evolving threat activity.

CISA maintains the catalog in multiple formats, including CSV and JSON to facilitate integration with security tooling and automated workflows.

As exploitation techniques continue to evolve, organizations should subscribe to CISA’s KEV catalog updates to stay informed about newly discovered exploitation activity affecting their technology stack.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.