CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-10811

CVSS 9.8v3.1pub. 2025-01-14upd. 2025-06-17

Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.

🤖 AI Analysis
How it works

The error consists of improper validation of file paths (CWE-36, CWE-22) — an attacker can provide an absolute path to a file on the server, bypassing the application's working directory restrictions. The request is executed without any authentication, making the attack available to anyone with network connectivity to the EPM server. As a result, it is possible to read files outside the intended application directories.

Impact

An attacker can disclose sensitive information stored on the server, such as configuration data, credentials, or other system files accessible to the server process.

Mitigation & patch

Update Ivanti EPM to the version containing the January-2025 security update (for EPM 2024 line or EPM 2022 SU6). Detailed instructions are available in the official vendor statement at forums.ivanti.com. Until the patch is deployed, it is recommended to restrict network access to the EPM server only to trusted hosts.

Who is affected

Ivanti Endpoint Manager (EPM) in versions prior to the January-2025 security update for EPM 2024 and prior to the January-2025 security update for EPM 2022 SU6.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Ivanti Endpoint Manager

    APP
    Ivanti
    20222024< 2022
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Path TraversalAuth Bypass
CWE
References

Related vulnerabilities

CVE-2024-13159CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Absolute Path Traversal w Ivanti EPM — wyciek danych bez uwierzytelnienia

CVE-2024-13161CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Absolute Path Traversal w Ivanti EPM — wyciek wrażliwych danych bez uwierzytelnienia

CVE-2024-13160CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Absolute Path Traversal w Ivanti EPM — wyciek wrażliwych danych bez uwierzytelnienia

CVE-2025-10573CRITICAL9.6PL ✓ten sam produkt

Stored XSS w Ivanti Endpoint Manager umożliwiający przejęcie sesji admina

CVE-2024-50330CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Ivanti Endpoint Manager umożliwiający RCE bez uwierzytelnienia