Ivanti Endpoint Manager Discloses 13 Flaws: High-Severity RCE and 11 SQL Injection Vulnerabilities

Ivanti has disclosed 13 vulnerabilities affecting its Endpoint Manager (EPM) platform, including two high-severity flaws that could lead to remote code execution (RCE) or privilege escalation, and eleven medium-severity SQL injection issues. The flaws impact multiple supported versions of Ivanti EPM 2024, with fixes scheduled for November 2025 and Q1 2026.

The most severe vulnerabilities are:

• CVE-2025-11622 – Insecure Deserialization (CVSS 7.8, High): This flaw allows a local authenticated attacker to escalate privileges by exploiting insecure deserialization in Ivanti Endpoint Manager.
• CVE-2025-9713 – Path Traversal (CVSS 8.8, High): This issue enables remote unauthenticated attackers to achieve remote code execution, though user interaction is required.

Together, these flaws could allow attackers to take control of EPM systems, execute arbitrary code, or escalate privileges within enterprise networks.

The remaining eleven CVEs—from CVE-2025-11623 through CVE-2025-62384—are SQL injection flaws that allow remote authenticated attackers to read arbitrary data from the database. Each carries a CVSS score of 6.5 (Medium).

Ivanti notes, “SQL injection in Ivanti Endpoint Manager allows a remote authenticated attacker to read arbitrary data from the database.”

Although these flaws do not directly permit code execution, attackers could use them for data exfiltration, reconnaissance, or privilege escalation within compromised environments.

The vulnerabilities affect Ivanti Endpoint Manager 2024 SU3 SR1 and prior versions.

• CVE-2025-11622 and CVE-2025-9713 will be resolved in version 2024 SU4, targeted for November 12, 2025.
• The remaining SQL injection vulnerabilities (CVE-2025-11623 and CVE-2025-62383–62392) will be fixed in 2024 SU5, scheduled for Q1 2026.

Ivanti EPM 2022 has reached end-of-life (EOL) as of October 2025, and users on older releases will not receive fixes.

Ivanti credited external security researchers and Trend Zero Day Initiative for responsibly disclosing these vulnerabilities. The company emphasized that there is no evidence of active exploitation in the wild as of publication.

Ivanti has shared temporary mitigations for customers awaiting patches:

• For CVE-2025-11622 (Insecure Deserialization): “Customers should use a reliable firewall with a whitelisting configuration to prevent remote access to arbitrary high-range TCP ports… only allow EPM administrators to access the EPM Core server locally.”
• For CVE-2025-9713 (Path Traversal): “Customers should not import untrusted configuration files into your EPM Core server. If a customer chooses to import untrusted configuration files, they should always review the contents of the file carefully.”
• For SQL Injection vulnerabilities (CVE-2025-11623, CVE-2025-62383–62392): Administrators can temporarily remove the Reporting database user from their configuration.

Related Posts:

• Ivanti Patches Two High-Severity RCE Flaws in Endpoint Manager
• Meta’s Q1 2025 Report: Dismantling Covert Influence Campaigns from China, Iran, and Romania
• Kaspersky Report Reveals Growing Threat from Old Exploits and OS Vulnerabilities in Q1 2025
• Alphabet Q1 2025: Revenue Surges, Gemini 2.5 Launched