How to Fix CVE-2024-13161: Ivanti Endpoint Manager Path Traversal
*By Sai Kiran Pandrala*
| Severity | CVSS 9.8, Critical |
|---|---|
| Actively exploited? | Yes, listed in CISA KEV |
| Affected | Ivanti Endpoint Manager (EPM), versions prior to the January 2025 Security Update for EPM 2024 and EPM 2022 |
| Fixed in | EPM 2024 January 2025 Security Update and EPM 2022 SU6 January 2025 Security Update |
| Type (CWE) | Absolute Path Traversal |
⚠️ One of three matched path traversals. CVE-2024-13161, CVE-2024-13160, and CVE-2024-13159 were disclosed together as the Ivanti EPM January 2025 bundle. One patch covers all three.
What is CVE-2024-13161?
Ivanti Endpoint Manager (EPM) has an absolute path traversal vulnerability that lets an attacker read or write files outside the intended directory. In an enterprise endpoint management product, file-system primitives translate to lateral capability across the managed device fleet, EPM holds package distribution paths, scripts pushed to endpoints, and inventory data for every managed system.
This CVE is one of three sibling path-traversal issues fixed in the same Ivanti Security Advisory for EPM January 2025. See CVE-2024-13160 and CVE-2024-13159 for the siblings.
Am I affected?
You are affected if you run Ivanti Endpoint Manager at any version prior to:
- EPM 2024: January 2025 Security Update
- EPM 2022: SU6 January 2025 Security Update
EPM versions older than 2022 are end-of-life and have no fix path, migrate.
Check your version: open the EPM console → About, or check the registry entry on the Windows core server.
How to fix CVE-2024-13161
- Open the Ivanti Security Advisory for EPM January 2025 (referenced below).
- Download the appropriate Security Update from the Ivanti support portal:
- EPM 2024: the January 2025 Security Update package
- EPM 2022: SU6 + January 2025 Security Update
- Back up the EPM database before applying.
- Apply the update via the EPM console: Tools → Maintenance → Patch Manager → Install Updates (or the documented installer for the SU package).
- Restart the EPM core server services when prompted.
- Re-test agent connectivity from a few managed endpoints after the upgrade to confirm the management plane is healthy.
The same security update patches CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161 in one operation.
Upgrade the Ivanti / pulse secure appliance
# Web admin: System -> Upgrade/Downgrade -> stage the patched image
# referenced in the advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
# CLI verification after reboot
show version
show system status
Verify the fix landed
# 1. Confirm the running version matches the fixed-in version from the advisory:
# https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
# Use the platform-specific version probe above.
# 2. Re-scan with your vulnerability scanner (Nessus, Qualys, Tenable, OpenVAS).
# The scanner should no longer flag CVE-2024-13161 on the patched target.
# 3. Inspect recent service / kernel logs for crash loops or rollback events.
journalctl -u <service> --since "10 minutes ago"
dmesg --since "10 minutes ago"
If you can't patch immediately
Restrict EPM core server access to a small administrative network at the firewall. EPM agent traffic uses specific ports, those can stay open while management portal access is locked down. The vulnerable code path is in the management API, not the agent protocol.
How to verify the fix worked
- EPM Console → About → version should show the January 2025 Security Update level.
- Run an authenticated vulnerability scan against the EPM core server. The CVE-2024-13161 (and 13160, 13159) detections should all clear.
Frequently asked questions
Is CVE-2024-13161 actively exploited?
Yes. CVE-2024-13161 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.
What is the CVSS severity of CVE-2024-13161?
Critical. See the advisory for the full CVSS vector.
Where can I read the official advisory?
See https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022
Does the patch require a reboot?
It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.
References
- Official Ivanti EPM January 2025 advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-13161
- CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Bundle siblings: CVE-2024-13160, CVE-2024-13159
*This guide was assembled from the Ivanti EPM January 2025 Security Advisory, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against Ivanti's advisory before applying changes in production.*