Proof-of-concept (PoC) code and technical details on four critical-severity Ivanti EPM vulnerabilities are now available.
February 20, 2025 By Ionut Arghire
Horizon3.ai has released technical details on four critical-severity vulnerabilities in Ivanti Endpoint Manager (EPM), along with proof-of-concept (PoC) code targeting them.
The security defects, tracked as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 (CVSS score of 9.8) and described as absolute path traversal issues, were patched in mid-January in EPM versions 2024 and 2022 SU6.
Ivanti warned at the time that the flaws could be exploited to leak sensitive information, but provided no additional details on them.
On Wednesday, Horizon3.ai revealed that the four bugs could be exploited by an unauthenticated attacker to “coerce the Ivanti EPM machine account credential to be used in relay attacks, potentially allowing for server compromise”.
