Ivanti has rolled out security updates for its Endpoint Manager product, addressing three high-severity vulnerabilities that could let authenticated local attackers write arbitrary files anywhere on the system disk.
The flaws, if exploited, pose significant risks to enterprise environments by potentially allowing malicious code execution or data tampering.
The most recent issue, tracked as CVE-2025-10918, stems from insecure default permissions in the Endpoint Manager agent versions prior to 2024 SU4.
This vulnerability carries a CVSS score of 7.1 (High), with a vector of CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H, and aligns with CWE-276 for incorrect default permissions. Attackers with local authenticated access could leverage it to overwrite critical files, escalating privileges or disrupting operations.
Ivanti Endpoint Manager Vulnerabilities
Ivanti also patched two previously disclosed vulnerabilities from October 2025: CVE-2025-9713 and CVE-2025-11622. While specific details on these were not reiterated in the latest advisory, they contribute to the same arbitrary file write threat model.
Importantly, Ivanti reports no known customer exploitation of any of these issues at the time of disclosure, crediting its responsible disclosure program for early detection.
Affected systems include Ivanti Endpoint Manager 2024 SU3 SR1 and earlier versions. The fixes are available in the newly released 2024 SU4 update, downloadable via Ivanti’s License System portal for eligible customers.
Users on the older 2022 branch face a harder road: that version reached end-of-life at the end of October 2025, so no patches will be issued. Organizations must upgrade to 2024 SU4 to mitigate risks.
| CVE Number | Description | CVSS Score (Severity) | Attack Requirements | Potential Impact |
|---|---|---|---|---|
| CVE-2025-10918 | Insecure default permissions in the agent allow a local authenticated attacker to write arbitrary files anywhere on disk. | 7.1 (High) | Local authenticated access. | File tampering, privilege escalation via overwrites. |
| CVE-2025-9713 | Path traversal allows a remote unauthenticated attacker to achieve remote code execution, enabling arbitrary file writes; user interaction required. | 8.8 (High) | Remote unauthenticated, user interaction (e.g., malicious file import). | RCE leading to full system compromise and file manipulation. |
| CVE-2025-11622 | Insecure deserialization allows a local authenticated attacker to escalate privileges, facilitating arbitrary file writes post-escalation. | 7.8 (High) | Local authenticated access. | Privilege escalation enabling broader file access and execution. |
Ivanti extends its thanks to security researcher Enrique Fernández Lorenzo, known as bighound, for responsibly reporting CVE-2025-10918. The company emphasizes its commitment to vulnerability disclosure, inviting ethical hackers to engage through its policy.
For those assessing exposure, Ivanti notes no public indicators of compromise exist yet, as exploitation remains undetected. Administrators should prioritize patching to safeguard endpoint management integrity. With cyber threats evolving rapidly, timely updates remain a cornerstone of defense in managed IT ecosystems.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
