Ivanti has disclosed 13 vulnerabilities in Ivanti Endpoint Manager (EPM), including two high-severity issues that could enable privilege escalation and remote code execution, and eleven medium-severity SQL injection flaws.
While there is no evidence of in-the-wild exploitation, Ivanti urges customers to move to the latest supported release and apply recommended mitigations as patches are still in development.
Ivanti said EPM 2022 reached end-of-life in October 2025 and emphasized that Ivanti EPM 2024 includes important security improvements that significantly reduce risk.
For supported versions, fixes will arrive in two stages: the insecure deserialization and path traversal bugs are slated for Ivanti EPM 2024 SU4 targeted for November 12, 2025, while the SQL injection set is planned for EPM 2024 SU5 in Q1 2026.
Until then, administrators should implement workarounds to reduce exposure.
The two most critical flaws are CVE-2025-11622, an insecure deserialization issue that allows a local authenticated attacker to escalate privileges (CVSS 7.8, CWE-502), and CVE-2025-9713, a path traversal that enables remote code execution by an unauthenticated attacker but requires user interaction (CVSS 8.8, CWE-22).
The remaining eleven CVEs are SQL injection weaknesses that allow remote authenticated users to read arbitrary database data (CVSS 6.5, CWE-89).
Ivanti credited researcher 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044 working with Trend Micro’s Zero Day Initiative for reporting all issues.
Mitigations vary by flaw. For CVE-2025-11622, customers on EPM 2024 SU3 SR1 have reduced risk; those not yet upgraded should whitelist and restrict access via a reliable firewall to block remote access to arbitrary high-range TCP ports and limit EPM Core server access to local administrators only.
For CVE-2025-9713, Ivanti advises never importing untrusted configuration files into the EPM Core server; if unavoidable, review file contents carefully, acknowledging that this action inherently carries risk.
For the SQL injection series, Ivanti notes admins can remove the Reporting database user to eliminate exposure, with the trade-off that reporting functionality will be disabled because a read-only reporting user is required to run any EPM report.
Affected versions include Ivanti EPM 2024 SU3 SR1 and prior, with patches pending as noted, and Ivanti EPM 2022 SU8 SR2 and prior, which are end-of-life and should be upgraded to EPM 2024.
Organizations should also review administrative access, harden firewall rules, and avoid untrusted imports to reduce attack surface until updates ship.
| CVE | Description | CVSS (Severity) | CWE |
| CVE-2025-11622 | Insecure deserialization allows local privilege escalation | 7.8 (High) | CWE-502 |
| CVE-2025-9713 | Path traversal allows RCE; UI required; unauthenticated | 8.8 (High) | CWE-22 |
| CVE-2025-11623 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
| CVE-2025-62392 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
| CVE-2025-62390 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
| CVE-2025-62389 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
| CVE-2025-62388 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
| CVE-2025-62387 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
| CVE-2025-62385 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
| CVE-2025-62391 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
| CVE-2025-62383 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
| CVE-2025-62386 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
| CVE-2025-62384 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
Upgrade planning should prioritize moving to Ivanti EPM 2024 and preparing for SU4 and SU5 rollout, while applying strict least-privilege, network segmentation, and input validation practices to mitigate risk during the interim.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
