The Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) Catalog to include three critical security flaws affecting Ivanti Endpoint Manager (EPM).
All three vulnerabilities, identified as absolute path traversal issues, were added to the catalog on March 10, 2025, signaling that threat actors are actively exploiting these vulnerabilities in the wild.
Federal agencies and organizations are now required to remediate these vulnerabilities by March 31, 2025, in accordance with CISA’s Binding Operational Directive (BOD) 22-01, which mandates timely remediation of known exploited vulnerabilities.
Technical Analysis of the Path Traversal Vulnerabilities
The three vulnerabilities (CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161) are classified as absolute path traversal flaws, associated with Common Weakness Enumeration CWE-36.
Path traversal vulnerabilities occur when applications fail to properly validate user-supplied input that contains directory traversal elements.
In the case of these Ivanti EPM flaws, remote unauthenticated attackers can manipulate file paths to access sensitive information stored outside the intended directory structure.
Unlike relative path traversal attacks that use “../” sequences, absolute path traversal vulnerabilities leverage complete file paths starting from the root directory, potentially giving attackers access to critical system files.
These vulnerabilities are particularly concerning as they require no authentication, significantly lowering the barrier for exploitation.
While CISA has not explicitly confirmed their use in ransomware campaigns, the inclusion in the KEV catalog indicates active exploitation by threat actors.
Remediation Requirements and Security Implications
CISA’s directive requires organizations using affected Ivanti EPM implementations to apply vendor-provided mitigations by March 31, 2025.
For cloud services, organizations must follow applicable BOD 22-01 guidance.
In cases where mitigations are unavailable, CISA recommends discontinuing use of the vulnerable product altogether.
These Ivanti vulnerabilities were added alongside other critical flaws, including vulnerabilities in Advantive VeraCore (CVE-2025-25181 and CVE-2024-57968), VMware ESXi and Workstation (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226), and the Linux Kernel (CVE-2024-50302).
The KEV catalog serves as an authoritative source for network defenders to prioritize vulnerability management efforts, focusing on flaws that pose immediate risk due to active exploitation.
Security researchers note that path traversal vulnerabilities often serve as initial access vectors in sophisticated attack chains.
While data leakage is the primary concern with these Ivanti flaws, exposed sensitive information could facilitate further attacks, potentially leading to lateral movement within compromised networks.
Organizations are advised to implement defense-in-depth strategies, including network segmentation and principle of least privilege, alongside the required patches.
The inclusion of these Ivanti vulnerabilities in CISA’s catalog underscores the ongoing challenges in securing enterprise endpoint management solutions, which typically have privileged access across organizational networks and contain valuable security configuration data that makes them high-value targets for threat actors.
 has updated its Known Exploited Vulnerabilities (KEV) Catalog.){kind=link}