Analysis Summary

Ivanti has revealed 13 security vulnerabilities in its Endpoint Manager (EPM) software, two of which are classified as high severity and could enable remote code execution (RCE) and privilege escalation. The disclosure highlights growing risks in enterprise management tools, which are increasingly targeted by attackers for supply chain intrusions. Although there is no evidence of active exploitation, Ivanti urges customers to apply interim mitigations while patches are finalized, emphasizing that outdated or unsupported EPM deployments remain at elevated risk.

The most critical flaw, CVE-2025-9713, is a path traversal vulnerability (CVSS 8.8, CWE-22) that allows unauthenticated remote attackers to execute arbitrary code if users interact with malicious configuration files. Another major issue, CVE-2025-11622, involves insecure deserialization (CVSS 7.8, CWE-502), which can be exploited by local authenticated users to escalate privileges and gain unauthorized access to sensitive resources. The remaining 11 vulnerabilities (CVSS 6.5, CWE-89) are SQL injection flaws that permit authenticated users to extract arbitrary data from EPM databases, including credentials and configuration details, increasing the risk of data theft and system compromise.

All vulnerabilities were responsibly disclosed by security researcher 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044, underscoring the role of coordinated vulnerability reporting. Ivanti confirmed that no proof-of-concept (PoC) exploits or indicators of compromise (IoCs) have been made public. Still, the possibility of data exfiltration via SQL injection could be leveraged in broader cyber campaigns, echoing previous high-profile incidents involving SolarWinds and Log4j. The affected versions include EPM 2024 SU3 SR1 and earlier, with EPM 2022 now officially end-of-life as of October 2025, leaving such deployments without vendor support.

Patches for the high-severity vulnerabilities are scheduled for EPM 2024 SU4 (November 12, 2025), while fixes for the SQL injection cluster are expected in SU5 (Q1 2026). In the meantime, Ivanti has issued temporary mitigations: restricting Core server access to trusted local administrators and implementing firewall whitelisting to block high-range TCP ports for CVE-2025-11622; avoiding the import of untrusted configuration files for CVE-2025-9713; and disabling analytics by removing the Reporting database user to mitigate SQL injection exposure. Ivanti advises users to upgrade to the latest supported 2024 release, which includes improved security controls and mitigations, ensuring stronger resilience against exploitation attempts targeting critical management infrastructure.

Impact

• Code Execution
• Gain Access
• Privilege Escalation

Remediation

• Apply upcoming patches in EPM 2024 SU4 (expected November 12, 2025) and SQL injection fixes in SU5 (Q1 2026).
• Restrict Core server access to local EPM administrators only.
• Implement firewall whitelisting to block high-range TCP ports.
• Regularly review and limit administrative privileges to reduce local exploitation risks.
• Avoid importing untrusted configuration files into the EPM environment.
• Validate and verify all configuration files before importing them.
• Implement file integrity checks to detect unauthorized or altered files.
• Remove the Reporting database user to eliminate potential SQL injection exploitation (note: this disables analytics).
• Limit database permissions for all EPM users to the principle of least privilege.
• Monitor database query logs for unusual or suspicious activity.
• Upgrade immediately to EPM 2024 SU3 SR1 or later to benefit from enhanced security protections.
• Migrate from end-of-life versions, such as the 2022 branch, to ensure continued patch support