Ivanti has disclosed 13 vulnerabilities in its Endpoint Supervisor (EPM) software program, together with two high-severity flaws that might allow distant code execution and privilege escalation, urging prospects to use mitigations whereas patches stay in growth.
The announcement comes amid rising scrutiny of enterprise administration instruments, as attackers more and more goal them for provide chain compromises.
Though no exploitation within the wild has been reported, the problems spotlight the dangers of outdated deployments in endpoint safety environments.
Crucial Vulnerabilities Uncovered In Endpoint Supervisor
Among the many vulnerabilities, CVE-2025-9713 stands out as a high-severity path traversal subject with a CVSS rating of 8.8, permitting unauthenticated distant attackers to execute arbitrary code if customers work together with malicious recordsdata.
This flaw, rooted in CWE-22, exploits weak enter validation throughout configuration imports, doubtlessly letting adversaries add and run malicious payloads on the EPM Core server.
Complementing it’s CVE-2025-11622, an insecure deserialization vulnerability (CVSS 7.8, CWE-502) that allows native authenticated customers to escalate privileges, granting unauthorized entry to delicate system sources.
The remaining 11 vulnerabilities are medium-severity SQL injection flaws (every CVSS 6.5, CWE-89), resembling CVE-2025-11623 and CVE-2025-62392 by means of CVE-2025-62384.
CVE IDDescriptionCVSS ScoreSeverityCVSS VectorCWECVE-2025-11622Insecure deserialization permitting native authenticated privilege escalation.7.8HighCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H502CVE-2025-9713Path traversal permitting distant unauthenticated RCE with consumer interplay.8.8HighCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H22CVE-2025-11623SQL injection permitting distant authenticated arbitrary knowledge learn.6.5MediumCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N89CVE-2025-62392SQL injection permitting distant authenticated arbitrary knowledge learn.6.5MediumCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N89CVE-2025-62390SQL injection permitting distant authenticated arbitrary knowledge learn.6.5MediumCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N89CVE-2025-62389SQL injection permitting distant authenticated arbitrary knowledge learn.6.5MediumCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N89CVE-2025-62388SQL injection permitting distant authenticated arbitrary knowledge learn.6.5MediumCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N89CVE-2025-62387SQL injection permitting distant authenticated arbitrary knowledge learn.6.5MediumCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N89CVE-2025-62385SQL injection permitting distant authenticated arbitrary knowledge learn.6.5MediumCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N89CVE-2025-62391SQL injection permitting distant authenticated arbitrary knowledge learn.6.5MediumCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N89CVE-2025-62383SQL injection permitting distant authenticated arbitrary knowledge learn.6.5MediumCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N89CVE-2025-62386SQL injection permitting distant authenticated arbitrary knowledge learn.6.5MediumCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N89CVE-2025-62384SQL injection permitting distant authenticated arbitrary knowledge learn.6.5MediumCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N89
These enable distant authenticated attackers to extract arbitrary knowledge from the database, together with credentials or configuration particulars, with no need consumer interplay past preliminary authentication.
Ivanti famous that each one points have been responsibly reported by researcher 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044 through Development Micro’s Zero Day Initiative, underscoring the worth of coordinated disclosure in bolstering defenses.
No proof-of-concept exploits or indicators of compromise (IoCs) have been publicly launched, as Ivanti confirmed no lively assaults at disclosure time.
Nevertheless, the potential for knowledge exfiltration through SQL injections might assist broader campaigns, much like previous incidents focusing on administration consoles like these from SolarWinds or Log4j.
Ivanti EPM variations 2024 SU3 SR1 and earlier are affected, with the 2022 department now end-of-life as of October 2025, leaving customers with out official help.
For the high-severity CVEs, fixes are slated for EPM 2024 SU4, anticipated November 12, 2025. The SQL injections will comply with in SU5 throughout Q1 2026, delayed as a result of complexity of resolving them with out disrupting reporting options.
Ivanti emphasised that upgrading to the newest 2024 launch already mitigates a lot of the chance by means of enhanced safety controls. Clients on EOL variations face heightened publicity and will migrate promptly to keep away from unpatched vulnerabilities.
The corporate’s FAQ addresses issues, noting that whereas patches are forthcoming, rapid mitigations can safe environments within the interim.
Mitigations
To counter CVE-2025-11622, Ivanti recommends firewall whitelisting to dam high-range TCP ports and limiting Core server entry to native EPM directors solely, aligning with established finest practices.
For the trail traversal in CVE-2025-9713, customers should keep away from importing untrusted configuration recordsdata and totally vet any essential ones, as such actions inherently carry dangers.
The SQL injection cluster might be addressed by eradicating the Reporting database consumer, although this disables analytics options, a trade-off detailed in Ivanti’s documentation. General, staying on EPM 2024 SU3 SR1 or later supplies layered protections, lowering exploit viability.
Ivanti’s disclosure, regardless of pending patches, prioritizes transparency, permitting proactive defenses in a panorama the place endpoint managers are prime targets for ransomware and APT teams. Organizations ought to audit their EPM setups and seek the advice of Ivanti’s Success Portal for tailor-made help.
Observe us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.
