Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN840
_____________________________________________________________________

DATE                : 11/12/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Ivanti Endpoint Manager versions prior
                           to 2024 SU4 SR1.

=====================================================================
https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024?language=en_US
_____________________________________________________________________

Security Advisory EPM December 2025 for EPM 2024

Primary Product
Endpoint Manager

Categories
Install

Created Date
8 Dec 2025 20:19:53

Last Modified Date
9 Dec 2025 20:05:10

Summary: 

Ivanti has released an update for Ivanti Endpoint Manager (EPM) which
addresses three high severity vulnerabilities and one critical
severity vulnerability in the EPM core and remote consoles.  

We are not aware of any customers being exploited by these
vulnerabilities at the time of disclosure. 

 

Vulnerability Details: 

CVE Number        Description      CVSS Score (Severity) 
CVSS Vector      CWE 

CVE-2025-10573   Stored XSS in Ivanti Endpoint Manager prior
to version 2024 SU4 SR1 allows a remote unauthenticated
attacker to execute arbitrary JavaScript in the context of an
administrator session. User interaction is required. 
Critical (9.6) 
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 
CWE-79 


CVE-2025-13659    Improper control of dynamically managed code
resources in Ivanti Endpoint Manager prior to version
2024 SU4 SR1 allows a remote, unauthenticated attacker to write
arbitrary files on the server, potentially leading to remote
code execution. User interaction is required. 
High (8.8) 
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 
CWE-913 

CVE-2025-13661     Path traversal in Ivanti Endpoint Manager prior
to version 2024 SU4 SR1 allows a remote authenticated attacker to
write arbitrary files outside of the intended directory. User
interaction is required. 
High (7.1) 
CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H 
CWE-22 

CVE-2025-13662     Improper verification of cryptographic signatures
in the patch management component of Ivanti Endpoint Manager prior
to version 2024 SU4 SR1 allows a remote unauthenticated attacker to
execute arbitrary code. User Interaction is required. 
High (7.8) 
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 
CWE-347 

 

Affected Versions: 

Product Name       Affected Version(s)      Resolved Version(s) 
Patch Availability 

Ivanti Endpoint Manager    2024 SU4 and prior   2024 SU4 SR1 
Download Available in ILS 


Solution: 

These vulnerabilities are resolved in the latest version of the
product (Ivanti Endpoint Manager 2024 SU4 SR 1) and can be accessed
in the download portal (Login Required). For more information on how
to download updates please see How to Access and Download Software
for EPM.
This update applies to EPM 2024 SU4 core consoles and remote consoles. 
 

Mitigations: 

    CVE-2025-10573 – Ivanti EPM is not intended to be an
internet-facing solution. If customers have not exposed their solution
to the internet, the risk of this vulnerability is significantly
reduced. 

    CVE-2025-13659 – Exploitation of this vulnerability requires
customers to connect to an untrusted core server. In line with best
practice, Ivanti strongly recommends that customers should only
connect their EPM solution
to trusted servers.  

    CVE-2025-13661 & CVE-2025-13662 – Exploitation of these
vulnerabilities requires customers to import untrusted configuration
files.
In line with best practice, Ivanti strongly recommends that customers
only import trusted configuration files. 

 

Acknowledgements: 

Ivanti would like to thank the following for reporting the relevant
issues and for working with Ivanti to help protect our customers: 


    06fe5fd2bc53027c4a3b7e395af0b850e7b8a044 working with Trend
Zero Day Initiative (CVE-2025-13661, CVE-2025-13662) 

    Piotr Bazydlo (@chudyPB) of watchTowr (CVE-2025-13659) 

    Ryan Emmons, Staff Security Researcher at Rapid7 (CVE-2025-10573) 

 Note: Ivanti is dedicated to ensuring the security and integrity of
our enterprise software products. We recognize the vital role that
security researchers, ethical hackers, and the broader security
community play in identifying and reporting vulnerabilities. Visit
HERE to learn more about our Vulnerability Disclosure Policy.
 

FAQ:

Are you aware of any active exploitation of these vulnerabilities? 

We are not aware of any customers being exploited by these
vulnerabilities prior to public disclosure. These vulnerabilities were
disclosed through our responsible disclosure program.   

 
How can I tell if I have been compromised? 

Currently, there is no known public exploitation of this vulnerability
that could be used to provide a list of indicators of compromise. 

 

What should I do if I need help?  

If you have questions after reviewing this information, you can log
a case and/or request a call via the Success Portal 

 
Article Number : 000103719
Article Promotion Level
Normal

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================