CVE-2024-13159 — AI Deep Analysis Summary

🚨 **Essence**: Ivanti EPM has a critical **Absolute Path Traversal** flaw. <br>💥 **Consequences**: Remote attackers can **leak sensitive info** and coerce machine credentials for relay attacks.…

🛡️ **Root Cause**: **CWE-36** (Absolute Path Traversal). <br>🔍 **Flaw**: Improper input validation in the `GetHashForWildcardRecursive` endpoint.…

🏢 **Affected**: **Ivanti Endpoint Manager (EPM)**. <br>📅 **Context**: Specifically impacts versions like **EPM 2024** and **EPM 2022 SU6** (based on Jan 2025 advisory).

💀 **Attacker Actions**: <br>1. **Unauthenticated** access. <br>2. **Coerce** the EPM machine account credential. <br>3. Use credentials for **NTLM relay attacks**. <br>4.…

⚡ **Threshold**: **LOW**. <br>🔓 **Auth**: **None required** (Unauthenticated). <br>🌐 **Access**: Remote (Network). <br>👤 **UI**: No user interaction needed.

🔥 **Public Exp?**: **YES**. <br>📂 **PoC**: Available on GitHub (e.g., `horizon3ai/Ivanti-EPM-Coercion-Vulnerabilities`). <br>🛠️ **Tools**: Nuclei templates exist for automated scanning.

🔍 **Self-Check**: <br>1. Scan for **Ivanti EPM** endpoints. <br>2. Use **Nuclei** with CVE-2024-13159 template. <br>3. Look for **UNC path** injection points in `GetHashForWildcardRecursive`.

🩹 **Official Fix**: **YES**. <br>📢 **Advisory**: Ivanti released a security advisory in **Jan 2025**. <br>✅ **Action**: Update to the latest patched version immediately.

🚧 **No Patch?**: <br>1. **Block** external access to EPM endpoints. <br>2. **Restrict** NTLM authentication protocols. <br>3. Implement **WAF rules** to block UNC path injections.

🚨 **Urgency**: **CRITICAL**. <br>⏱️ **Priority**: **P1**. <br>⚠️ **Reason**: Unauthenticated, remote, and active PoCs exist. Immediate patching is mandatory to prevent credential coercion.