Critical Vulnerabilities in Ivanti Endpoint Manager Allow Arbitrary File Writes
Ivanti has recently addressed three high-severity vulnerabilities in its Endpoint Manager (EPM) software, which could allow authenticated local attackers to write arbitrary files to any location on the system disk. These vulnerabilities pose significant risks, including potential malicious code execution and data tampering within enterprise environments.
Detailed Overview of the Vulnerabilities:
1. CVE-2025-10918: This vulnerability arises from insecure default permissions in the Endpoint Manager agent versions prior to 2024 SU4. It has been assigned a CVSS score of 7.1 (High) and is categorized under CWE-276 for incorrect default permissions. An attacker with local authenticated access could exploit this flaw to overwrite critical files, potentially leading to privilege escalation or operational disruptions.
2. CVE-2025-9713: This path traversal vulnerability allows a remote unauthenticated attacker to achieve remote code execution by writing arbitrary files, provided user interaction occurs (e.g., importing a malicious file). It carries a CVSS score of 8.8 (High). Exploitation could result in full system compromise and unauthorized file manipulation.
3. CVE-2025-11622: An insecure deserialization vulnerability that enables a local authenticated attacker to escalate privileges, facilitating arbitrary file writes post-escalation. This vulnerability has a CVSS score of 7.8 (High). Successful exploitation could grant unauthorized access to sensitive system resources.
Affected Systems and Mitigation Measures:
The vulnerabilities impact Ivanti Endpoint Manager versions up to and including 2024 SU3 SR1. Ivanti has released the 2024 SU4 update to address these issues. Customers are urged to download and apply this update via Ivanti’s License System portal.
For users on the older 2022 branch, it’s important to note that this version reached its end-of-life in October 2025, and no patches will be issued. Organizations must upgrade to the 2024 SU4 version to mitigate these risks effectively.
Security Research and Responsible Disclosure:
Ivanti has acknowledged security researcher Enrique Fernández Lorenzo, known as bighound, for responsibly reporting CVE-2025-10918. The company emphasizes its commitment to vulnerability disclosure and encourages ethical hackers to engage through its responsible disclosure policy.
Recommendations for Organizations:
– Immediate Patching: Organizations should prioritize applying the 2024 SU4 update to mitigate these vulnerabilities.
– System Audits: Conduct thorough audits to identify any unauthorized file changes or suspicious activities that may indicate exploitation attempts.
– Access Controls: Review and strengthen access controls to limit the potential impact of local authenticated attackers.
– User Training: Educate users about the risks of interacting with untrusted files and the importance of following security protocols.
By taking these steps, organizations can enhance their security posture and protect against potential exploits targeting these vulnerabilities.
