Pattern Micro’s Zero Day Initiative (ZDI) this week revealed 13 advisories describing unpatched vulnerabilities in Ivanti Endpoint Supervisor.
One of many flaws permits native attackers to raise their privileges and was reported to Ivanti in November 2024. The remaining 12 result in distant code execution (RCE) and have been reported in June 2025.
Whereas the vulnerabilities are technically not zero-days, ZDI flags the entire unpatched flaws it discloses as ‘0day’. ZDI’s advisories title the weak element and supply a common description of the basis trigger, however don’t comprise another technical particulars.
No CVE identifier has been issued for these vulnerabilities, however ZDI notes that each one of them are high-severity defects. Essentially the most extreme of them has a CVSS rating of 8.8, one has a CVSS rating of seven.8, whereas the remaining 11 have CVSS scores of seven.2.
In line with ZDI, the native privilege escalation bug impacts the Endpoint Supervisor’s AgentPortal service. It exists as a result of user-supplied enter isn’t correctly validated, leading to deserialization of untrusted knowledge and code execution with System privileges.
Additionally rooted within the lack of correct validation of user-supplied knowledge, the RCE weaknesses have been discovered within the product’s Report_RunPatch, MP_Report_Run2, DBDR, PatchHistory, MP_QueryDetail2, MP_QueryDetail, MP_VistaReport, and Report_Run courses, and within the GetCountForQuery and OnSaveToDB strategies.
For the primary 11 of the RCE vulnerabilities, the improperly validated user-supplied enter is used to assemble SQL queries and will result in arbitrary code execution within the context of the service account. Authentication is required to take advantage of all of them.
For the final RCE challenge (CVSS rating of 8.8), an improperly validated user-supplied path is utilized in file operations, resulting in code execution within the context of the consumer. Attackers can exploit the defect if they’ve admin credentials or if they’ll persuade a consumer to open a malicious web page or file.Commercial. Scroll to proceed studying.
ZDI says Ivanti was notified of the primary safety gap in November 2024 and acknowledged it in January 2025. In July, the seller notified ZDI that patches could be launched in November.
Relating to the RCE flaws, Ivanti initially mentioned it will patch 10 of them in September, however then requested an extension till March 2026 for all 12, ZDI says.
Per its disclosure coverage, ZDI permits distributors 120 days to handle vulnerabilities reported to them. If by the top of the deadline the seller is unresponsive or doesn’t present an inexpensive assertion on why fixes haven’t been launched, ZDI publishes a restricted advisory on the reported safety defect.
“Given the character of the vulnerability, the one salient mitigation technique is to limit interplay with the product,” ZDI notes for every of the bugs. Further data might be discovered on ZDI’s revealed advisories web page.
It’s unclear why Ivanti has not been in a position to roll out patches for these bugs inside the disclosure window, as the corporate has not revealed an advisory but. SecurityWeek has emailed Ivanti for an announcement on the matter and can replace this text if the seller responds.
Associated: Subtle Malware Deployed in Oracle EBS Zero-Day Assaults
Associated: CISA Analyzes Malware From Ivanti EPMM Intrusions
Associated: Chinese language Spies Exploit Ivanti Vulnerabilities In opposition to Essential Sectors
Associated: Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability
