Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote unauthenticated attacker to leak sensitive information.
The vulnerability (CWE-36 — absolute path traversal) occurs because the application does not properly restrict file paths specified by the user, allowing an attacker to reference arbitrary files on the server's file system using absolute paths. The request can be sent without any authentication, eliminating typical access barriers. As a result, the attacker is able to read files located outside the application's intended directories.
An attacker can remotely read sensitive information from the system without authentication — potentially including configuration data, credentials, or other files accessible to the server process, which may lead to further compromise of the environment.
Ivanti EPM must be immediately updated to a version containing the January-2025 Security Update (for the EPM 2024 line) or 2022 SU6 January-2025 Security Update (for the EPM 2022 line). Detailed instructions are available in the official security bulletin from the vendor: https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6
Ivanti Endpoint Manager (EPM) in versions prior to the 2024 January-2025 Security Update and prior to 2022 SU6 January-2025 Security Update.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HIvanti Endpoint Manager
APPIvanti20222024< 2022
CISA KEV — detailsi
- Vendori
- Ivanti ↗
- Producti
- Endpoint Manager (EPM)
- Added to KEVi
- March 10, 2025
- Remediation deadline (US Federal)i
- March 31, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Ivanti Endpoint Manager (EPM) contains an absolute path traversal vulnerability that allows a remote unauthenticated attacker to leak sensitive information.
Related vulnerabilities
Absolute Path Traversal w Ivanti EPM — wyciek danych bez uwierzytelnienia
Absolute Path Traversal w Ivanti EPM — wyciek wrażliwych danych bez uwierzytelnienia
Stored XSS w Ivanti Endpoint Manager umożliwiający przejęcie sesji admina
Absolute Path Traversal w Ivanti Endpoint Manager — wyciek danych bez uwierzytelnienia
SQL Injection w Ivanti Endpoint Manager umożliwiający RCE bez uwierzytelnienia