Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Ivanti discloses 13 Vulnerabilities in Endpoint Manager – No patches available, Mitigate ASAP
Image
Published : 21/10/2025
Last update: 21/10/2025
Affected software: Ivanti Endpoint Manager (EPM) 2024 SU3 SR1 and prior
Ivanti Endpoint Manager (EPM) 2022 SU8 SR2 and priorType: Insecure deserialisation, Path traversal leading to Remote Code Execution, SQL Injection
CVE/CVSS : Ivanti has disclosed 13 vulnerabilities, 2 of which are rated high and 11 are rated medium.
→ CVE-2025-9713: CVSS 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
→ CVE-2025-11622: CVSS 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
→ 11 CVEs as SQL Injections: CVSS 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Sources
Ivanti <https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-
EPM-October-2025?language=en_US>
Risks
Ivanti disclosed 13 vulnerabilities in its Endpoint Manager (EPM) product line, including two critical flaws that could enable remote code execution and full system compromise. Although no exploitation has been observed, organisations running outdated versions are at high risk and must prioritise upgrades and
mitigations immediately.
Because EPM appliances act as central management systems connected to a large number of endpoints, an attacker gaining access could move laterally across the network, deploy malware through trusted channels, or exfiltrate sensitive configuration data.
The combination of central control, network reach, and frequent internet exposure makes Ivanti EPM a high-value and high-risk asset for threat actors.
Ivanti strongly urges customers to upgrade from the unsupported EPM 2022 to EPM 2024, and to apply the recommended mitigations until full patches are available.
- Two high-severity vulnerabilities (CVSS 7.8–8.8) could allow local privilege escalation and
remote code execution. - Eleven medium-severity SQL injection flaws could expose database contents to
authenticated attackers. - Systems running EPM 2022 or earlier are end of life and no longer supported.
Description
CVE-2025-11622 is a critical insecure deserialisation vulnerability in EPM 2024 SU3 SR1 and prior that could allow a local authenticated attacker to escalate privileges on the EPM Core server. This CVE has a CVSSv3 score of 7.8 and is rated high.
The risk associated with this vulnerability is significantly lower for customers running Ivanti EPM 2024 SU3 SR. If customers have not yet upgraded to EPM 2024 SU3 SR1, they should use a reliable firewall with an allowlist configuration to prevent remote access to arbitrary high-range TCP ports.
CVE-2025-9713 is a path-traversal vulnerability in Ivanti Endpoint Manager, with a CVSSv3 score of 8.8 and a high rating. Successful exploitation of this vulnerability could allow a remote unauthenticated attacker to execute arbitrary code, but user interaction is required.
In accordance with best practices and Ivanti recommendations, organisations must avoid importing configuration files from untrusted sources into the EPM Core server. If this is unavoidable, the contents of each file must be thoroughly reviewed manually.
The remaining 11 CVEs (CVE-2025-11623, CVE-2025-62392, CVE-2025-62390, CVE-2025-62389, CVE-2025-62388, CVE-2025-62387, CVE-2025-62385, CVE-2025-62391, CVE-2025-62383, CVE-2025-62386, CVE-2025-62384) are SQL injection vulnerabilities in Ivanti Endpoint Manager, with a CVSSv3 score of 6.5 and a rating of medium. Successful exploitation of these vulnerabilities could allow a remote authenticated attacker to read arbitrary data from the database.
To mitigate the SQL injection series, administrators can remove the Reporting database user from their configuration to resolve these vulnerabilities, but the reporting functionality will be disabled because a read-only reporting user is required to run any EPM report.
Recommended Actions
Patch(not available)
The Centre for Cybersecurity Belgium (CCB) strongly recommends prioritising patching as soon as official fixes are available. Monitor Ivanti advisories and test updates before production deployment.
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Restrict and Harden Configuration
Upgrade to EPM 2024 and apply Ivanti’s mitigations.
The CCB recommends:
- Restrict access to the management interface to trusted admin systems.
- Harden authentication by enforcing strong passwords, multi-factor authentication, and limiting the number of privileged users.
- Review and minimise service account privileges where possible, ensuring the account has only the rights necessary for EPM operation. Test any changes brfore applying them in production to avoid service disruption.
- Use dedicated accounts for Ivanti services instead of shared or domain administrator accounts, and split service accounts by role (e.g., separate accounts for web components, database access, and background services) to reduce the impact of a single account compromise.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
GB Hackers <https://gbhackers.com/ivanti-patches-13-endpoint-manager-
flaws/#google_vignette>