CVE-2024-13159

What is Ivanti Endpoint Manager (EPM)?

Ivanti Endpoint Manager (EPM) is an enterprise IT asset management and endpoint control platform used by organizations to centrally discover, inventory, deploy software to, and manage the lifecycle of Windows, macOS, Linux, and mobile devices across their network. It is distinct from Ivanti EPMM (Endpoint Manager Mobile) — EPM focuses on traditional endpoints rather than mobile fleet management.

Key functions include:

• Asset discovery and inventory — automatically discover and catalog all devices on the network, including hardware specifications, installed software, and patch status
• Software distribution — centrally deploy, update, and remove applications across thousands of endpoints simultaneously
• Patch management — identify missing patches and orchestrate patch deployment across the managed device fleet
• OS deployment — provision bare-metal and virtual machines with operating system images at scale
• Remote control and troubleshooting — allow IT administrators to remotely connect to and manage endpoints
• Credential management — store and use privileged credentials (domain admin accounts, service accounts) required to authenticate to and manage remote endpoints

Because EPM must authenticate to every managed endpoint, it necessarily holds a credential vault containing high-privilege accounts. The EPM Core server also performs hash calculation operations against files on managed endpoints — these file hash operations are the attack surface exploited by CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161.

Overview

CVE-2024-13159 is one of three closely related absolute path traversal vulnerabilities (disclosed alongside CVE-2024-13160 and CVE-2024-13161) in Ivanti Endpoint Manager that allow a remote unauthenticated attacker to coerce the EPM server into authenticating to an attacker-controlled SMB server. This credential coercion attack captures the EPM machine account's NTLMv2 hash, which can then be relayed to a domain controller to create privileged accounts or otherwise escalate within the Active Directory environment.

All three CVEs were disclosed together in Ivanti's January 2025 security advisory, discovered by Horizon3.ai, and added to the CISA KEV catalog on March 10, 2025 after exploitation in the wild was confirmed.

CVE-2024-13159 specifically involves the GetHashForWildcardRecursive function. See also CVE-2024-13160 (GetHashForWildcard) and CVE-2024-13161 (GetHashForSingleFile).

Affected Versions

Fix: Apply the Ivanti EPM January 2025 Security Update for EPM 2024 or EPM 2022 SU6.

Technical Details

CVE-2024-13159 is a CWE-36 (Absolute Path Traversal) vulnerability residing in WSVulnerabilityCore.dll, located at C:\Program Files\LANDesk\ManagementSuite\WSVulnerabilityCore.dll on the EPM Core server.

Vulnerable function: GetHashForWildcardRecursive

The EPM server exposes web service endpoints that perform file hash calculations across groups of files matching a wildcard pattern, recursively. The GetHashForWildcardRecursive method accepts a wildcard string parameter and passes it to HashCalculator.GetHashForWildcardRecursive() without validating whether the path resolves to a location outside of an expected restricted directory.

Attack chain:

1. An unauthenticated remote attacker sends a crafted request to the EPM web service, supplying a UNC path (e.g., \\attacker-ip\share\*) as the wildcard parameter to the GetHashForWildcardRecursive endpoint.
2. The EPM server, without validating the path, attempts to access the attacker-controlled SMB server to enumerate files matching the wildcard.
3. During the SMB connection attempt, the EPM machine account transmits its NTLMv2 credentials to the attacker's server.
4. The attacker captures the NTLMv2 hash using a tool such as Responder, then relays it to a domain controller via LDAP using ntlmrelayx.
5. The relayed authentication is used to create a privileged machine account in Active Directory with delegation rights, enabling further privilege escalation or domain takeover.

Attack characteristics:

• No credentials required — fully unauthenticated
• Exploitable remotely over the network (CVSS Attack Vector: Network)
• No user interaction required
• A single crafted request triggers the credential coercion
• The captured NTLMv2 hash can be relayed in real time or cracked offline
• Chaining with CVE-2024-13160 and CVE-2024-13161 (additional coercion endpoints) increases the probability of successful capture

CWE-36 (Absolute Path Traversal): The product uses external input to construct a pathname but does not properly neutralize absolute path sequences that can resolve outside the intended restricted directory — in this case, allowing the path to resolve to a remote UNC location on an attacker-controlled server.

Discovery

All four credential coercion vulnerabilities in this group (CVE-2024-10811, CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161) were discovered by Horizon3.ai. They coordinated disclosure with Ivanti, agreeing to a 30-day embargo after the January 13, 2025 patch release before publishing technical details. Horizon3.ai published their full analysis and proof-of-concept exploit on February 19, 2025.

Exploitation Context

CISA added CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161 to the KEV catalog on March 10, 2025 — approximately two months after Ivanti's patch release and three weeks after Horizon3.ai's PoC publication. The relatively rapid move to the KEV catalog after PoC publication is consistent with attackers weaponizing the published exploit.

Exploitation of these vulnerabilities does not require compromising the EPM server directly — rather, it forces the EPM server to become an unwitting participant in a credential relay attack. The downstream impact can extend to full Active Directory domain compromise if the relayed machine account credentials are used to create privileged accounts and establish persistence.

The three CVEs are often exploited as a set, since each covers a different web service endpoint performing the same underlying operation (file hash calculation). Attempting all three increases an attacker's chances of triggering a successful credential coercion, as organizations may have partially applied workarounds blocking individual endpoints.

At the time of CISA's KEV addition, no specific threat actors or ransomware groups had been publicly attributed to active exploitation of these vulnerabilities.

Remediation

1. Apply the January 2025 Security Update for your EPM version — EPM 2024 January-2025 SU or EPM 2022 SU6 January-2025 SU; this is the primary fix
2. Block outbound SMB traffic from the EPM Core server — prevent the EPM server from initiating outbound connections on TCP port 445 to hosts outside of known managed endpoints; this breaks the UNC path coercion attack at the network level even on unpatched systems
3. Enable SMB signing on the EPM server — SMB signing prevents captured NTLMv2 credentials from being relayed; enable it via Group Policy (Microsoft network client: Digitally sign communications (always)) as a layered defense
4. Restrict network access to EPM web services — limit access to the EPM Core server web service endpoints to authorized management hosts and subnets only
5. Review Active Directory for unauthorized machine accounts — look for recently created machine accounts with unusual delegation attributes, particularly any created around the time PoC was published (February 2025 onward)
6. Audit domain controller authentication logs — look for NTLM authentication events originating from the EPM server's IP address against the domain controller, particularly during periods when exploitation may have occurred
7. Rotate EPM machine account credentials — if exploitation is suspected, reset the EPM server's machine account password in Active Directory (Reset-ComputerMachinePassword or domain controller tooling)
8. Discontinue use if patching is not achievable — an unpatched EPM server reachable from untrusted networks can be used to coerce and relay machine account credentials, enabling domain-level attacks