How to Fix CVE-2024-13160: Ivanti EPM Path Traversal (Sibling)

*By Sai Kiran Pandrala*

CVE-2024-13160 is one of three matched Ivanti EPM path-traversal vulnerabilities. Full remediation procedure is at How to Fix CVE-2024-13161, applying the January 2025 Security Update fixes all three CVEs in one operation.

What's different about CVE-2024-13160?

It is a distinct vulnerable code path in EPM with the same flaw class as CVE-2024-13161 and CVE-2024-13159. Different endpoint, same root cause (insufficient path sanitization), same impact (file read/write outside intended directory), same fix.

How to fix CVE-2024-13160

Apply the Ivanti EPM January 2025 Security Update. The full procedure is at How to Fix CVE-2024-13161. One upgrade closes all three sibling CVEs.

Frequently asked questions

Is CVE-2024-13160 actively exploited?

Yes. CVE-2024-13160 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.

What is the CVSS severity of CVE-2024-13160?

Critical. See the advisory for the full CVSS vector.

Where can I read the official advisory?

See https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022

Does the patch require a reboot?

It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.

References

• Official Ivanti EPM January 2025 advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13160
• CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• Bundle primary: How to Fix CVE-2024-13161
• Other sibling: CVE-2024-13159

*This guide is one of the bundle siblings. The primary write-up with full procedure is at how-to-fix-cve-2024-13161.*