Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Multiple High & Medium vulnerabilities in Ivanti Endpoint Manager, Patch Immediately!
Image
Published : 09/04/2025
- Last update: 09/04/2025
- Affected software:: Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7
- Type:
→ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') XSS
→ Untrusted Pointer Dereference
→ Uncontrolled Search Path Element
→ Improper Following of a Certificate's Chain of Trust
→ Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')- CVE/CVSS
→ CVE-2024-22466: CVSS 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N)
→ CVE-2024-22465: CVSS 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
→ CVE-2024-22464: CVSS 6.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H)
→ CVE-2024-22458: CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2024-22459: CVSS 4.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
→ CVE-2024-22461: CVSS 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Sources
https://nvd.nist.gov/vuln/detail/CVE-2025-22466
https://nvd.nist.gov/vuln/detail/CVE-2025-22465
https://nvd.nist.gov/vuln/detail/CVE-2025-22464
https://nvd.nist.gov/vuln/detail/CVE-2025-22458
https://nvd.nist.gov/vuln/detail/CVE-2025-22459
https://nvd.nist.gov/vuln/detail/CVE-2025-22461
Risks
Ivanti Endpoint Manager is a unified endpoint management (UEM) solution that helps IT administrators manage and secure various devices, including Windows, macOS, Linux, Chrome OS, and IoT devices, from a single console.
On the 8th of April 2025, Ivanti announced that three high (CVE-2025-22466, CVE-2025-22458, CVE-2025-22461) and three medium (CVE-2025-22465, CVE-2025-22464, CVE-2025-22459) vulnerabilities have been found in the Ivanti Endpoint Manager versions 2024 and 2022 SU6.
As of April 9, 2025, there are no publicly reported incidents of any of those vulnerabilities being exploited in wild and there is no available proof-of-concept (PoC) online.
CVE-2025-22466 and CVE-2025-22465 are two high and medium criticality Cross-site scripting (XSS) vulnerabilities that are caused by the improper neutralization of input during web page generation. CVE-2025-22466 has a high impact on confidentiality, low impact on integrity and no impact on availability. CVE-2025-22465 has a low impact on both confidentiality and integrity, and no impact on availability.
CVE-2025-22464 is a medium criticality untrusted pointer dereference vulnerability. CVE-2025-22464 has no impact on confidentiality, low impact on integrity and high impact on availability.
CVE-2025-22458 is a high criticality uncontrolled search path element vulnerability. CVE-2025-22458 has a high impact on all aspects of the CIA triad (confidentiality, integrity, availability).
CVE-2025-22459 is a medium criticality improper following of a certificate’s chain of trust vulnerability. CVE-2025-22459 has low impact on confidentiality and integrity and no impact on availability.
CVE-2025-22461 is a high SQL injection vulnerability which is caused by the Improper Neutralization of Special Elements used in an SQL Command. CVE-2025-22461 has a high impact on all aspects of the CIA triad (confidentiality, integrity, availability).
Description
CVE-2024-22466:
A remote unauthenticated attacker without privileges with user interaction can exploit this vulnerability to obtain admin privileges. This occurs because there is no neutralization or incomplete neutralization of user input before it is processed and before it is used as an output for a web page.
CVE-2024-22465:
A remote unauthenticated attacker without privileges with user interaction can exploit this vulnerability to execute arbitrary JavaScript code in the victim’s browser. This vulnerability has the same root cause as CVE-2024-22466.
CVE-2024-22464:
A local attacker with low privileges and no user interaction can exploit this vulnerability to cause a denial-of-service. This occurs because there is an untrusted source gives the system a value, which the system converts to a pointer whose reference is removed. This can allow the attacker to write arbitrary data in the memory.
CVE-2024-22458:
A local attacker with low privileges and no user interaction can exploit this vulnerability to escalate their privileges to System level and gain complete system control. The attacker can achieve that by manipulating the Dynamic Link Library (DLL) search paths. This way the attacker can gain unauthorized access to sensitive system resources and can install malware or create new system accounts.
CVE-2024-22459:
A remote attacker without any privileges and without any user interaction can exploit this vulnerability to intercept and manipulate network communications between Ivanti Endpoint Manager clients and servers. This occurs because the system does not follow or follows incorrectly the chain of trust for a certificate back to a trusted root certificate.
CVE-2024-22461:
A remote attacker with high (admin) privileges and without any user interaction can exploit this vulnerability to execute arbitrary SQL commands. This occurs because there is an improper neutralization of special elements that are used as an input for an SQL command. It can lead to database record modification. The attacker can gain unauthorized access to sensitive database information, move laterally inside the network and completely compromise the system.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing. The CCB recommends upgrading to version 2024 SU1 or 2022 SU7 or later.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via:< https://ccb.belgium.be/cert/report-incident>.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.