CVE-2024-13160

What is Ivanti Endpoint Manager (EPM)?

Ivanti Endpoint Manager (EPM) is an enterprise IT asset management and endpoint control platform used by organizations to centrally discover, inventory, deploy software to, and manage the lifecycle of Windows, macOS, Linux, and mobile devices across their network. It is distinct from Ivanti EPMM (Endpoint Manager Mobile) — EPM focuses on traditional endpoints rather than mobile fleet management.

Key functions include:

• Asset discovery and inventory — automatically discover and catalog all devices on the network, including hardware specifications, installed software, and patch status
• Software distribution — centrally deploy, update, and remove applications across thousands of endpoints simultaneously
• Patch management — identify missing patches and orchestrate patch deployment across the managed device fleet
• OS deployment — provision bare-metal and virtual machines with operating system images at scale
• Remote control and troubleshooting — allow IT administrators to remotely connect to and manage endpoints
• Credential management — store and use privileged credentials (domain admin accounts, service accounts) required to authenticate to and manage remote endpoints

Because EPM must authenticate to every managed endpoint, it necessarily holds a credential vault containing high-privilege accounts. The EPM Core server also performs hash calculation operations against files on managed endpoints — these file hash operations are the attack surface exploited by CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161.

Overview

CVE-2024-13160 is one of three closely related absolute path traversal vulnerabilities (disclosed alongside CVE-2024-13159 and CVE-2024-13161) in Ivanti Endpoint Manager that allow a remote unauthenticated attacker to coerce the EPM server into authenticating to an attacker-controlled SMB server. This credential coercion attack captures the EPM machine account's NTLMv2 hash, which can then be relayed to a domain controller to create privileged accounts or otherwise escalate within the Active Directory environment.

All three CVEs were disclosed together in Ivanti's January 2025 security advisory, discovered by Horizon3.ai, and added to the CISA KEV catalog on March 10, 2025 after exploitation in the wild was confirmed.

CVE-2024-13160 specifically involves the GetHashForWildcard function. See also CVE-2024-13159 (GetHashForWildcardRecursive) and CVE-2024-13161 (GetHashForSingleFile).

Affected Versions

Fix: Apply the Ivanti EPM January 2025 Security Update for EPM 2024 or EPM 2022 SU6.

Technical Details

CVE-2024-13160 is a CWE-36 (Absolute Path Traversal) vulnerability residing in WSVulnerabilityCore.dll, located at C:\Program Files\LANDesk\ManagementSuite\WSVulnerabilityCore.dll on the EPM Core server.

Vulnerable function: GetHashForWildcard

The EPM server exposes web service endpoints that perform file hash calculations across files matching a wildcard pattern. The GetHashForWildcard method accepts a path parameter and, like its recursive counterpart in CVE-2024-13159, passes it to the hash calculator without validating whether the supplied path resolves outside of an expected restricted directory. The method permits unauthenticated users to construct paths that resolve to remote UNC locations on attacker-controlled servers.

Attack chain:

1. An unauthenticated remote attacker sends a crafted request to the EPM web service, supplying a UNC path (e.g., \\attacker-ip\share\*) as the wildcard parameter to the GetHashForWildcard endpoint.
2. The EPM server, without validating the path, attempts to access the attacker-controlled SMB server to enumerate matching files.
3. During the SMB connection attempt, the EPM machine account transmits its NTLMv2 credentials to the attacker's server.
4. The attacker captures the NTLMv2 hash using a tool such as Responder, then relays it to a domain controller via LDAP using ntlmrelayx.
5. The relayed authentication is used to create a privileged machine account in Active Directory with delegation rights, enabling further privilege escalation or domain takeover.

Attack characteristics:

• No credentials required — fully unauthenticated
• Exploitable remotely over the network (CVSS Attack Vector: Network)
• No user interaction required
• A single crafted request triggers the credential coercion
• The captured NTLMv2 hash can be relayed in real time or cracked offline
• The difference between CVE-2024-13160 and CVE-2024-13159 is the specific API method targeted; both exploit the same underlying class of path validation failure in WSVulnerabilityCore.dll

CWE-36 (Absolute Path Traversal): The product uses external input to construct a pathname but does not properly neutralize absolute path sequences that can resolve outside the intended restricted directory — in this case, allowing the path to resolve to a remote UNC location on an attacker-controlled server.

Discovery

All four credential coercion vulnerabilities in this group (CVE-2024-10811, CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161) were discovered by Horizon3.ai. They coordinated disclosure with Ivanti, agreeing to a 30-day embargo after the January 13, 2025 patch release before publishing technical details. Horizon3.ai published their full analysis and proof-of-concept exploit on February 19, 2025.

Exploitation Context

CISA added CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161 to the KEV catalog on March 10, 2025 — approximately two months after Ivanti's patch release and three weeks after Horizon3.ai's PoC publication. The relatively rapid move to the KEV catalog after PoC publication is consistent with attackers weaponizing the published exploit.

Exploitation of these vulnerabilities does not require compromising the EPM server directly — rather, it forces the EPM server to become an unwitting participant in a credential relay attack. When the relayed machine account credentials are used to create privileged Active Directory accounts, the downstream impact can extend to full domain compromise.

The three CVEs are often exploited as a set, since each covers a different web service endpoint performing the same underlying hash calculation operation. Attempting all three increases an attacker's chances of triggering a successful credential coercion, as organizations may have only partially blocked individual endpoints.

At the time of CISA's KEV addition, no specific threat actors or ransomware groups had been publicly attributed to active exploitation of these vulnerabilities.

Remediation

1. Apply the January 2025 Security Update for your EPM version — EPM 2024 January-2025 SU or EPM 2022 SU6 January-2025 SU; this is the primary fix
2. Block outbound SMB traffic from the EPM Core server — prevent the EPM server from initiating outbound connections on TCP port 445 to hosts outside of known managed endpoints; this breaks the UNC path coercion attack at the network level even on unpatched systems
3. Enable SMB signing on the EPM server — SMB signing prevents captured NTLMv2 credentials from being relayed; enable it via Group Policy (Microsoft network client: Digitally sign communications (always)) as a layered defense
4. Restrict network access to EPM web services — limit access to the EPM Core server web service endpoints to authorized management hosts and subnets only
5. Review Active Directory for unauthorized machine accounts — look for recently created machine accounts with unusual delegation attributes, particularly any created around the time PoC was published (February 2025 onward)
6. Audit domain controller authentication logs — look for NTLM authentication events originating from the EPM server's IP address against the domain controller, particularly during periods when exploitation may have occurred
7. Rotate EPM machine account credentials — if exploitation is suspected, reset the EPM server's machine account password in Active Directory (Reset-ComputerMachinePassword or domain controller tooling)
8. Discontinue use if patching is not achievable — an unpatched EPM server reachable from untrusted networks can be used to coerce and relay machine account credentials, enabling domain-level attacks