Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN716
_____________________________________________________________________

DATE                : 17/10/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Ivanti Endpoint Manager versions 
                                2024 SU3 SR1 and prior,
             Ivanti Endpoint Manager versions 2022 SU8 SR2 and prior.

=====================================================================
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-October-2025?language=en_US
_____________________________________________________________________

Security Advisory Ivanti Endpoint Manager (EPM) October 2025

Primary Product
Endpoint Manager

Categories
Windows Console

Created Date
13 Oct 2025 20:53:49

Last Modified Date
13 Oct 2025 21:28:19


Security Advisory Ivanti Endpoint Manager (EPM) October 2025
(Multiple CVEs) 


Summary 

Ivanti is disclosing two high severity and eleven medium severity
vulnerabilities in Ivanti EPM. Successful exploitation could lead to
privilege escalation or remote code execution. 

We are not aware of any customers being exploited by these
vulnerabilities at the time of disclosure. 

Please note: Ivanti EPM version 2022 is End-of-Life as of October 2025
and important security enhancements have been made in Ivanti EPM
version 2024 which significantly reduces the risk of these
vulnerabilities. It is Ivanti’s recommendation that customers stay up
to date on the latest version of EPM to benefit from security updates
and the latest features. 

 
Vulnerability Details: 

CVE Number    Description   CVSS Score (Severity)   CVSS Vector 
CWE    

CVE-2025-11622 
Insecure deserialization in Ivanti Endpoint Manager allows a local
authenticated attacker to escalate their privileges. 
7.8 (High)    CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 
CWE-502       

CVE-2025-9713 
Path traversal in Ivanti Endpoint Manager allows a remote
unauthenticated attacker to achieve remote code execution. User
interaction is required. 
8.8 (High)     CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 
CWE-22 

CVE-2025-11623 
SQL injection in Ivanti Endpoint Manager allows a remote
authenticated attacker to read arbitrary data from the database.  
6.5 (Medium)   CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 
CWE-89 

CVE-2025-62392 
SQL injection in Ivanti Endpoint Manager allows a remote
authenticated attacker to read arbitrary data from the database.  
6.5 (Medium)    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 
CWE-89    

CVE-2025-62390 
SQL injection in Ivanti Endpoint Manager allows a remote
authenticated attacker to read arbitrary data from the database.  
6.5 (Medium)    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 
CWE-89 

CVE-2025-62389 
SQL injection in Ivanti Endpoint Manager allows a remote
authenticated attacker to read arbitrary data from the database.  
6.5 (Medium)    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 
CWE-89 

CVE-2025-62388 
SQL injection in Ivanti Endpoint Manager allows a remote
authenticated attacker to read arbitrary data from the database.  
6.5 (Medium)    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 
CWE-89 

CVE-2025-62387 
SQL injection in Ivanti Endpoint Manager allows a remote
authenticated attacker to read arbitrary data from the database.  
6.5 (Medium)    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 
CWE-89 

CVE-2025-62385 
SQL injection in Ivanti Endpoint Manager allows a remote
authenticated attacker to read arbitrary data from the database.  
6.5 (Medium)    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 
CWE-89 

CVE-2025-62391 
SQL injection in Ivanti Endpoint Manager allows a remote
authenticated attacker to read arbitrary data from the database.  
6.5 (Medium)    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 
CWE-89 

CVE-2025-62383 
SQL injection in Ivanti Endpoint Manager allows a remote
authenticated attacker to read arbitrary data from the database.  
6.5 (Medium)    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 
CWE-89 

CVE-2025-62386 
SQL injection in Ivanti Endpoint Manager allows a remote
authenticated attacker to read arbitrary data from the database.  
6.5 (Medium)    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 
CWE-89 

CVE-2025-62384 
SQL injection in Ivanti Endpoint Manager allows a remote
authenticated attacker to read arbitrary data from the database.  
6.5 (Medium)    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 
CWE-89 

 

Affected Versions:

Product Name     Affected Version(s)    Resolved Version(s) 
Patch Availability 

Ivanti Endpoint Manager    2024 SU3 SR1 and prior 
CVE-2025-11622 & CVE-2025-9713: will be resolved in 2024 SU4
version targeted for November 12, 2025. 
CVE-2025-11623, CVE-2025-62392, CVE-2025-62390, CVE-2025-62389,
CVE-2025-62388, CVE-2025-62387, CVE-2025-62385, CVE-2025-62391,
CVE-2025-62383, CVE-2025-62386, CVE-2025-62384: will be resolved
in 2024 SU5 version targeted for Q1 2026 
Patches are currently in development. Customers should refer to
the mitigations below to protect their environment. 

Ivanti Endpoint Manager     2022 SU8 SR2 and prior    N/A 
This version is End of Life. Customers should move to the latest
version of Ivanti EPM 2024 to significantly reduce their risk. 
 

Mitigation or Workaround 

    Insecure Deserialization (CVE-2025-11622) 

    The risk of this vulnerability is significantly reduced for
customers running Ivanti EPM 2024 SU3 SR1.  

    If customers have not moved to EPM 2024 SU3 SR1, they should
use a reliable firewall with a whitelisting configuration to
prevent remote access to arbitrary high-range TCP ports.  

    In line with best practice and Ivanti’s recommendation
(login required), customers should only allow EPM administrators
to access the EPM Core server locally. 
 

    Path Traversal (CVE-2025-9713) 

    In line with best practice and Ivanti recommendation, customers
should not import untrusted configuration files into your EPM Core
server. If a customer chooses to import untrusted configuration
files, they should always review the contents of the file carefully
to ensure it contains only what is expected.  

    It is important to note that importing untrusted configuration
files will always pose risk to an EPM Core server. 

    SQL Injection (CVE-2025-11623, CVE-2025-62392, CVE-2025-62390,
CVE-2025-62389, CVE-2025-62388, CVE-2025-62387, CVE-2025-62385,
CVE-2025-62391, CVE-2025-62383, CVE-2025-62386, CVE-2025-62384) 

    EPM Administrators can remove the Reporting database user from
their configuration to resolve these vulnerabilities, but reporting
functionality will be disabled as a reporting database user is
required to run any report in EPM.   


Acknowledgements 

Ivanti would like to thank the following for reporting the relevant
issues: 

    06fe5fd2bc53027c4a3b7e395af0b850e7b8a044 working with Trend Zero Day Initiative (all CVEs) 

Note: Ivanti is dedicated to ensuring the security and integrity of
our enterprise software products. We recognize the vital role that
security researchers, ethical hackers, and the broader security
community play in identifying and reporting vulnerabilities. Visit
HERE to learn more about our Vulnerability Disclosure Policy. 


FAQ 

    Are you aware of any active exploitation of these vulnerabilities? 

We are not aware of any customers being exploited by these
vulnerabilities prior to public disclosure. These vulnerabilities
were disclosed through our responsible disclosure program.   


    How can I tell if I have been compromised? 
    Currently, there is no known public exploitation of these
vulnerabilities that could be used to provide a list of
indicators of compromise. 


    What should I do if I need help?  

If you have questions after reviewing this information, you
can log a case and/or request a call via the Success Portal  

 

    Why is Ivanti disclosing these vulnerabilities if a fix
is not available? 

These vulnerabilities were initially disclosed by ZDI. Ivanti
is disclosing now to provide mitigation options for our
customers. 

 

    What can I do to protect my environment? 

Customers who are running the latest version,
Ivanti EPM 2024 SU3 SR1 have a significantly reduced risk to
their environment because of important security enhancements
Ivanti has made to the product. Additionally, we have
provided mitigation guidance above.  

 

    Why is the fix for the SQL injection vulnerabilities planned
for Q1 2026? Can Ivanti provide a fix sooner? 

These issues are complicated to fix without impacting the
functionality of the product, which is why the issue will
take additional time to fix. Our aim is to always balance
speed with quality, with our customers’ security at the core
of that decision.   


Article Number :
000102679

Article Promotion Level
Normal

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================