Ivanti Endpoint Manager Mobile Vulnerabilities Allow Attackers to Decrypt Other Users’ Passwords
Ivanti has identified and resolved three high-severity vulnerabilities in its Endpoint Manager (EPM) software.
If exploited, these flaws could enable attackers to decrypt other users’ passwords or gain access to sensitive database information, posing significant risks to organizations that rely on this endpoint management solution.
Ivanti Endpoint Manager Mobile Vulnerabilities
Ivanti’s recent security update targets three specific vulnerabilities, each with a high severity rating based on the Common Vulnerability Scoring System (CVSS).
Two of these flaws, identified as CVE-2025-6995 and CVE-2025-6996, stem from improper use of encryption in the EPM agent. Both carry a CVSS score of 8.4 (High) and could enable a local authenticated attacker to decrypt passwords of other users.
The third vulnerability, CVE-2025-7037, involves an SQL injection flaw with a CVSS score of 7.2 (High), allowing a remote authenticated attacker with admin privileges to read arbitrary data from the database.
Here’s a detailed breakdown of the vulnerabilities:
| CVE Number | Description | CVSS Score | CVSS Vector | CWE |
|---|---|---|---|---|
| CVE-2025-6995 | Improper encryption in EPM agent allows local authenticated attacker to decrypt passwords. | 8.4 (High) | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N | CWE-257 |
| CVE-2025-6996 | Improper encryption in EPM agent allows local authenticated attacker to decrypt passwords. | 8.4 (High) | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N | CWE-257 |
| CVE-2025-7037 | SQL injection in EPM allows remote admin attacker to read database data. | 7.2 (High) | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | CWE-89 |
These vulnerabilities affect Ivanti Endpoint Manager versions prior to 2024 SU3 and 2022 SU8 Security Update 1. The encryption flaws specifically target the agent component, making local access a potential gateway for attackers to compromise user credentials.
Affected Versions and Solutions
Ivanti has identified the following versions of Endpoint Manager as vulnerable, with corresponding resolved versions now available:
| Product Name | Affected Version(s) | Resolved Version(s) | Patch Availability |
|---|---|---|---|
| Ivanti Endpoint Manager | 2022 SU8 and prior | 2022 SU8 Security Update 1 | Download Available in ILS |
| Ivanti Endpoint Manager | 2024 SU2 and prior | 2024 SU3 | Download Available in ILS |
Organizations using affected versions are urged to update immediately to the resolved versions 2024 SU3 or 2022 SU8 Security Update 1—accessible through Ivanti’s licensing portal (login required). These updates fully mitigate the identified risks.
Ivanti has emphasized that there is no evidence of active exploitation of these vulnerabilities prior to their disclosure. The issues were reported through the company’s responsible disclosure program, ensuring timely patches before any known attacks.
However, with no public indicators of compromise currently available, organizations must remain vigilant and prioritize updates to prevent potential breaches.
The ability for attackers to decrypt passwords or access database information underscores the importance of robust endpoint security. While local access is required for two of the vulnerabilities, the SQL injection flaw opens a remote attack vector for those with admin privileges, broadening the potential threat surface.
IT administrators should audit their systems for affected versions of Ivanti Endpoint Manager and apply the necessary updates without delay. Additionally, monitoring for unusual activity could serve as a precaution, even though no exploitation has been reported.
This incident highlights the ongoing challenges in securing endpoint management tools, which are critical for organizational IT infrastructure.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
Source link
