Ivanti has disclosed 13 vulnerabilities in its Endpoint Manager (EPM) software, including two high-severity flaws that could enable remote code execution and privilege escalation, urging customers to apply mitigations while patches remain in development.
The announcement comes amid growing scrutiny of enterprise management tools, as attackers increasingly target them for supply chain compromises.
Although no exploitation in the wild has been reported, the issues highlight the risks of outdated deployments in endpoint security environments.
Critical Vulnerabilities Exposed In Endpoint Manager
Among the vulnerabilities, CVE-2025-9713 stands out as a high-severity path traversal issue with a CVSS score of 8.8, allowing unauthenticated remote attackers to execute arbitrary code if users interact with malicious files.
This flaw, rooted in CWE-22, exploits weak input validation during configuration imports, potentially letting adversaries upload and run malicious payloads on the EPM Core server.
Complementing it is CVE-2025-11622, an insecure deserialization vulnerability (CVSS 7.8, CWE-502) that permits local authenticated users to escalate privileges, granting unauthorized access to sensitive system resources.
The remaining 11 vulnerabilities are medium-severity SQL injection flaws (each CVSS 6.5, CWE-89), such as CVE-2025-11623 and CVE-2025-62392 through CVE-2025-62384.
| CVE ID | Description | CVSS Score | Severity | CVSS Vector | CWE |
|---|---|---|---|---|---|
| CVE-2025-11622 | Insecure deserialization allowing local authenticated privilege escalation. | 7.8 | High | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 502 |
| CVE-2025-9713 | Path traversal allowing remote unauthenticated RCE with user interaction. | 8.8 | High | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | 22 |
| CVE-2025-11623 | SQL injection allowing remote authenticated arbitrary data read. | 6.5 | Medium | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 89 |
| CVE-2025-62392 | SQL injection allowing remote authenticated arbitrary data read. | 6.5 | Medium | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 89 |
| CVE-2025-62390 | SQL injection allowing remote authenticated arbitrary data read. | 6.5 | Medium | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 89 |
| CVE-2025-62389 | SQL injection allowing remote authenticated arbitrary data read. | 6.5 | Medium | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 89 |
| CVE-2025-62388 | SQL injection allowing remote authenticated arbitrary data read. | 6.5 | Medium | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 89 |
| CVE-2025-62387 | SQL injection allowing remote authenticated arbitrary data read. | 6.5 | Medium | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 89 |
| CVE-2025-62385 | SQL injection allowing remote authenticated arbitrary data read. | 6.5 | Medium | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 89 |
| CVE-2025-62391 | SQL injection allowing remote authenticated arbitrary data read. | 6.5 | Medium | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 89 |
| CVE-2025-62383 | SQL injection allowing remote authenticated arbitrary data read. | 6.5 | Medium | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 89 |
| CVE-2025-62386 | SQL injection allowing remote authenticated arbitrary data read. | 6.5 | Medium | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 89 |
| CVE-2025-62384 | SQL injection allowing remote authenticated arbitrary data read. | 6.5 | Medium | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | 89 |
These allow remote authenticated attackers to extract arbitrary data from the database, including credentials or configuration details, without needing user interaction beyond initial authentication.
Ivanti noted that all issues were responsibly reported by researcher 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044 via Trend Micro’s Zero Day Initiative, underscoring the value of coordinated disclosure in bolstering defenses.
No proof-of-concept exploits or indicators of compromise (IoCs) have been publicly released, as Ivanti confirmed no active attacks at disclosure time.
However, the potential for data exfiltration via SQL injections could aid broader campaigns, similar to past incidents targeting management consoles like those from SolarWinds or Log4j.
Ivanti EPM versions 2024 SU3 SR1 and earlier are affected, with the 2022 branch now end-of-life as of October 2025, leaving users without official support.
For the high-severity CVEs, fixes are slated for EPM 2024 SU4, expected November 12, 2025. The SQL injections will follow in SU5 during Q1 2026, delayed due to the complexity of resolving them without disrupting reporting features.
Ivanti emphasized that upgrading to the latest 2024 release already mitigates much of the risk through enhanced security controls. Customers on EOL versions face heightened exposure and should migrate promptly to avoid unpatched vulnerabilities.
The company’s FAQ addresses concerns, noting that while patches are forthcoming, immediate mitigations can secure environments in the interim.
Mitigations
To counter CVE-2025-11622, Ivanti recommends firewall whitelisting to block high-range TCP ports and restricting Core server access to local EPM administrators only, aligning with established best practices.
For the path traversal in CVE-2025-9713, users must avoid importing untrusted configuration files and thoroughly vet any necessary ones, as such actions inherently carry risks.
The SQL injection cluster can be addressed by removing the Reporting database user, though this disables analytics features, a trade-off detailed in Ivanti’s documentation. Overall, staying on EPM 2024 SU3 SR1 or later provides layered protections, reducing exploit viability.
Ivanti’s disclosure, despite pending patches, prioritizes transparency, allowing proactive defenses in a landscape where endpoint managers are prime targets for ransomware and APT groups. Organizations should audit their EPM setups and consult Ivanti’s Success Portal for tailored support.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
