Redazione RHC : 14 October 2025 16:29
Ivanti has published 13 vulnerabilities in its Endpoint Manager (EPM) software , including two high-severity flaws that could allow remote code execution and privilege escalation .
Despite the lack of exploitation, CVE-2025-9713 stands out among the vulnerabilities as a high severity path traversal issue with a CVSS score of 8.8, which allows unauthenticated remote attackers to execute arbitrary code if users interact with malicious files.
This is CWE-22, which is exploited due to poor input validation during the configuration import process, which could allow attackers to upload and execute malicious code on the server.
Rounding it all out is CVE-2025-11622, an insecure deserialization vulnerability (CVSS 7.8, CWE-502) that allows local authenticated users to escalate privileges, granting unauthorized access to sensitive system resources.
The remaining 11 vulnerabilities are medium-severity SQL injection flaws (each CVSS 6.5, CWE-89), such as CVE-2025-11623 and CVE-2025-62392 through CVE-2025-62384. The following table lists the overall vulnerabilities detected.CVE Number Description CVSS Score (Severity) CVSS Vector CWE CVE-2025-11622 Insecure deserialization in Ivanti Endpoint Manager allows a local authenticated attacker to escalate their privileges. 7.8 (High) CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CWE-502 CVE-2025-9713 Path traversal in Ivanti Endpoint Manager allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required. 8.8 (High) CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CWE-22 CVE-2025-11623 SQL injection in Ivanti Endpoint Manager allows a remote authenticated attacker to read arbitrary data from the database. 6.5 (Medium) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CWE-89 CVE-2025-62392 SQL injection in Ivanti Endpoint Manager allows a remote authenticated attacker to read arbitrary data from the database. 6.5 (Medium) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CWE-89 CVE-2025-62390 SQL injection in Ivanti Endpoint Manager allows a remote authenticated attacker to read arbitrary data from the database. 6.5 (Medium) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CWE-89 CVE-2025-62389 SQL injection in Ivanti Endpoint Manager allows a remote authenticated attacker to read arbitrary data from the database. 6.5 (Medium) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CWE-89 CVE-2025-62388 SQL injection in Ivanti Endpoint Manager allows a remote authenticated attacker to read arbitrary data from the database. 6.5 (Medium) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CWE-89 CVE-2025-62387 SQL injection in Ivanti Endpoint Manager allows a remote authenticated attacker to read arbitrary data from the database. 6.5 (Medium) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CWE-89 CVE-2025-62385 SQL injection in Ivanti Endpoint Manager allows a remote authenticated attacker to read arbitrary data from the database. 6.5 (Medium) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CWE-89 CVE-2025-62391 SQL injection in Ivanti Endpoint Manager allows a remote authenticated attacker to read arbitrary data from the database. 6.5 (Medium) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CWE-89 CVE-2025-62383 SQL injection in Ivanti Endpoint Manager allows a remote authenticated attacker to read arbitrary data from the database. 6.5 (Medium) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CWE-89 CVE-2025-62386 SQL injection in Ivanti Endpoint Manager allows a remote authenticated attacker to read arbitrary data from the database. 6.5 (Medium) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CWE-89 CVE-2025-62384 SQL injection in Ivanti Endpoint Manager allows a remote authenticated attacker to read arbitrary data from the database. 6.5 (Medium) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CWE-89
Ivanti emphasized that all issues were responsibly reported by researcher 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044 through Trend Micro’s Zero Day Initiative, underscoring the value of coordinated disclosure in strengthening defenses.
At the time of disclosure, Ivanti confirmed that there are no active attacks underway. Therefore, no proof-of-concept exploits or indicators of compromise (IoCs) have been made public.
However, the potential for data exfiltration via SQL injections could facilitate larger campaigns, similar to past incidents targeting management consoles such as those from SolarWinds or Log4j.
Ivanti EPM versions 2024 SU3 SR1 and earlier are affected, while version 2022 has reached end-of-life as of October 2025, leaving users without official support.
For high severity CVEs, fixes are planned for EPM 2024 SU4, which is scheduled for release on November 12, 2025. SQL injections will follow in SU5 in Q1 2026, with a delay due to the complexity of resolving them without disrupting reporting capabilities.
Ivanti emphasized that upgrading to the latest 2024 release already mitigates much of the risk thanks to advanced security controls. Customers with EOL (end-of-life) releases are at greater risk and should migrate promptly to avoid unpatched vulnerabilities.
Redazione