PoC Exploit Available for Critical Information Disclosure Vulnerabilities in Ivanti EPM

On February 19, 2025, Horizon3.ai published proof-of-concept (PoC) exploit code and technical details for critical Ivanti Endpoint Manager (EPM) vulnerabilities disclosed in January. 

The vulnerabilities are tracked as CVE-2024-10811, CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159, allowing a remote unauthenticated attacker to leak sensitive information via a path traversal. They share the same underlying issue, which results from an unauthenticated endpoint failing to validate input. The wildcard parameter can be crafted to manipulate the rootPath, causing it to resolve to a remote UNC path (a network path used to access resources on remote servers). 

While Ivanti has stated that no exploitation of these vulnerabilities had been observed, Ivanti products have been heavily targeted by threat actors in the past. In late 2024, another Ivanti Endpoint Manager vulnerability was exploited in the wild. Additionally, one of the most impactful campaigns of 2024 leveraged two other Ivanti vulnerabilities to compromise thousands of Ivanti Connect Secure VPN devices. Given this history of exploitation, threat actors may attempt to leverage the PoC to target organizations in the near future. 

Recommendation

Upgrade to Latest Fixed Version

Arctic Wolf strongly recommends that customers upgrade to the latest fixed version. 

Please follow your organization’s patching and testing guidelines to minimize potential operational impact. 

References 

• Ivanti Security Advisory
• Horizon3 PoC

Resources

Understand the threat landscape, and how to better defend your organization, with the 2025 Arctic Wolf Threat Report

See how Arctic Wolf utilizes threat intelligence to harden your attack surface and stop threats earlier and faster