Ivanti Addresses 13 Critical Vulnerabilities in Endpoint Manager That Could Allow Remote Code Execution

Ivanti, a prominent player in the cybersecurity space, has recently announced a concerning batch of thirteen security vulnerabilities within its Endpoint Manager (EPM) product line. These vulnerabilities encompass a spectrum of risks including insecure deserialization, path traversal, and multiple SQL injection flaws. Though there are currently no reported incidents of active exploitation in the wild, the implications of these vulnerabilities warrant serious attention.

Among these vulnerabilities, two have been classified as high severity, while the other eleven fall into a medium severity category. Ivanti has strongly encouraged all EPM users to transition from the now end-of-life EPM 2022 to the newer EPM 2024 version. This recommendation is accompanied by a call to implement interim mitigation strategies until comprehensive patches become available.

Assessing the Vulnerabilities

The highest-risk vulnerability disclosed is CVE-2025-11622, identified as an insecure deserialization flaw affecting versions of EPM 2024 prior to SU3 SR1. This vulnerability permits an authenticated local user to escalate their privileges on the EPM Core server, with a CVSS score of 7.8. The potential risk associated with this flaw is significant, making it imperative for organizations to take swift action.

The second high-severity vulnerability is CVE-2025-9713, a path traversal issue that allows an unauthenticated attacker to execute remote code under specific circumstances. This exploitation requires the user to import a malicious configuration file through the console UI, which introduces a degree of dependency on user actions (CVSS 8.8). Recognizing the chain of events that lead to this vulnerability is crucial for effective risk management.

The remaining eleven vulnerabilities are primarily SQL injection issues, scattered across various components of EPM’s reporting functionalities. Authenticated remote users could exploit these flaws to retrieve arbitrary database records, each carrying a CVSS score of 6.5. This poses a potential risk to sensitive information if left unaddressed.

All fourteen vulnerabilities were reported responsibly by a cybersecurity researcher, 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044, in cooperation with Trend Micro’s Zero Day Initiative. Such collaboration highlights the importance of community engagement in addressing vulnerabilities.

While full patches are scheduled for release with EPM 2024 SU4 on November 12, 2025, alongside additional coverage in SU5 anticipated for Q1 2026, Ivanti has recommended several immediate mitigation strategies. For those using SU3 SR1, it is crucial to maintain a clear upgrade path to SU4. In the meantime, organizations are advised to restrict Remote Desktop Protocol (RDP) and high-range TCP port access via firewalls to reduce their exposure.

Moreover, administrative privileges should be limited strictly to local EPM operators. This helps in reducing the attack surface from potential internal threats. To address potential risks stemming from CVE-2025-9713, it is vital for organizations to avoid importing configuration files from untrusted sources. If they must do so, a thorough review of the file’s content is essential.

To mitigate risks associated with the SQL injection vulnerabilities, administrators have the option to disable the Reporting database user altogether, which while suspending reporting functionality, narrows the avenue for unauthorized access.

As EPM 2022 reached its end of life in October 2025, customers are urged to make the migration to EPM 2024 a priority. This newer version includes enhanced security features and hardening strategies that not only address the current vulnerabilities but also fortify against potential future attacks.

As organizations plan their upgrades, they should factor in the scheduled release of SU4 and SU5 while coordinating their testing timelines and rollback procedures to ensure a smooth transition. Implementing robust network segmentation, enforcing least-privilege access controls, employing strict input validation policies, and conducting regular security audits will help minimize vulnerabilities during this interim period.

Ultimately, embracing both prompt updates and a proactive, defense-in-depth strategy enables organizations to maintain operational stability while safeguarding their systems against potential threats.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today