- October 9, 2025
- updated on October 21, 2025
Critical Vulnerabilities in Ivanti Endpoint Management
On October 7, 2025, the Zero Day Initiative (ZDI) by Trend Micro publicly disclosed 13 unpatched vulnerabilities in Ivanti Endpoint Management, including twelve remote code execution (RCE) flaws and one local privilege escalation bug. These issues were privately reported to Ivanti between November 2024 and June 2025 but were still unresolved when they were publicly disclosed. ZDI did not provide technical details or public proof-of-concept (PoC) exploit code but did list the vulnerable endpoints.
Executive Summary
Update: October 14, 2025: Ivanti has issued new mitigation guidance addressing the high severity vulnerabilities in Ivanti Endpoint Manager (EPM) and Endpoint Manager Mobile (EPMM). Ivanti has stated in their advisory that if successfully exploited, these flaws could lead to remote code execution.
Most severe amongst vulnerabilities disclosed include CVE-2025-9713, a directory traversal vulnerability which could allow an unauthenticated attacker ability to execute remote code and CVE-2025-11622, a deserialization vulnerability which could allow escalation of privilege. At the time of this update Ivanti states they are not aware of any customers being exploited in the wild, however given the function of these security services and chaining potential of vulnerabilities disclosed, Beazley Security recommends that affected organizations apply mitigations. Please review the updated "Mitigations and Workarounds" section in this advisory for additional details.
On October 7, 2025, the Zero Day Initiative (ZDI) by Trend Micro publicly disclosed 13 unpatched vulnerabilities in Ivanti Endpoint Management, including twelve remote code execution (RCE) flaws and one local privilege escalation bug. These issues were privately reported to Ivanti between November 2024 and June 2025 but were still unresolved when they were publicly disclosed. ZDI did not provide technical details or public proof-of-concept (PoC) exploit code but did list the vulnerable endpoints.
Ivanti Endpoint Management devices are deployed internet facing by design and can provide attackers initial access into an organization network. While there are at time of writing no reports of these vulnerabilities being used in the wild, Beazley Security expects threat actors to analyze the reported vulnerable endpoints to reverse engineer the vulnerabilities and deploy their own weaponized exploits soon.
As of writing this advisory, no patches or mitigations have been released for any of the 13 vulnerabilities, and Beazley Security recommends affected organizations restrict access to their Ivanti Endpoint Management devices until fixes are available.
Affected Systems or Products
All thirteen reported vulnerabilities were reported to affect Ivanti Endpoint Manager appliances. At time of writing, Ivanti had not released their own advisory or security patches, so all available versions of Endpoint Manager are affected.
Software | Affected Versions | Fixed Versions |
Endpoint Manager | All | None |
Mitigations / Workarounds
Update October 14, 2025 - Ivanti has updated their advisory to include mitigations for the following flaws:
Insecure Deserialization due to CVE-2025-11622 – Ivanti has suggested that moving to EPM 2024 SU3 SR1 versions of the software reduce exposure to this specific vulnerability. Customers that have not yet upgraded should use a firewall that restricts access to only required TCP ports and prevent remote connections to high-range or unexpected ports. Administrators should limit EPM Core server access to trusted management networks only, and ensure this system is not exposed to the internet. For additional hardening tips on the matter, login with a valid account to Ivanti’s portal here to review the vendor's best practice guidance.
Path traversal flaw due to CVE-2025-9713 - Only import configuration files from trusted sources and validate their contents before use. Administrators should apply best practice change control procedures and review configurations carefully to confirm only trusted and expected parameters exist within configuration imports.
SQL Injection disclosed within multiple CVEs - (CVE-2025-11623, CVE-2025-62392, CVE-2025-62390, CVE-2025-62389, CVE-2025-62388, CVE-2025-62387, CVE-2025-62385, CVE-2025-62391, CVE-2025-62383, CVE-2025-62386, CVE-2025-62384) – Assess reporting needs until patches can be applied. Administrators can temporarily remove the reporting database user from their configuration to mitigate the SQLi vulnerabilities, however this action will disable reporting functionality as this user account is required to run reporting within EPM.
Patches
No vendor provided patches were available at time of writing.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.
