Although there are no reports of active exploitation in the wild, two issues have been classified as high severity, and the remaining eleven as medium.
Ivanti is urging all customers to transition from the now end-of-life EPM 2022 to EPM 2024 and apply interim mitigations until full patches arrive
The most critical of the disclosed flaws is CVE-2025-11622, an insecure deserialization vulnerability in EPM 2024 SU3 SR1 and prior that permits a local authenticated user to escalate privileges on the EPM Core server (CVSS 7.8, CWE-502).
The second high-severity issue, CVE-2025-9713, is a path traversal bug that an unauthenticated attacker can exploit for remote code execution, albeit only if a user imports a malicious configuration file into the console UI (CVSS 8.8, CWE-22).
The remaining eleven vulnerabilities are SQL injection flaws scattered across EPM reporting components; remote authenticated users can leverage these to retrieve arbitrary database records (CVSS 6.5, CWE-89).
All fourteen vulnerabilities were responsibly reported by researcher 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044 in collaboration with Trend Micro’s Zero Day Initiative.
| CVE | Description | CVSS (Severity) | CWE |
|---|---|---|---|
| CVE-2025-11622 | Insecure deserialization allows local privilege escalation | 7.8 (High) | CWE-502 |
| CVE-2025-9713 | Path traversal allows RCE; UI required; unauthenticated | 8.8 (High) | CWE-22 |
| CVE-2025-11623 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
| CVE-2025-62392 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
| CVE-2025-62390 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
| CVE-2025-62389 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
| CVE-2025-62388 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
| CVE-2025-62387 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
| CVE-2025-62385 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
| CVE-2025-62391 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
| CVE-2025-62383 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
| CVE-2025-62386 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
| CVE-2025-62384 | SQL injection allows data read (authenticated) | 6.5 (Medium) | CWE-89 |
While full patches are slated for EPM 2024 SU4 on November 12, 2025 (addressing insecure deserialization and path traversal) and SU5 in Q1 2026 (covering SQL injection), Ivanti recommends several interim measures.
To reduce risk from CVE-2025-11622, customers on SU3 SR1 should maintain their upgrade path to SU4 and, if unable to upgrade immediately, restrict RDP and high-range TCP port access via a robust firewall.
Administrative privileges should be limited strictly to local EPM operators.
For CVE-2025-9713, organizations must avoid importing any configuration files from untrusted sources; if unavoidable, each file’s contents must undergo thorough manual review.
To mitigate the SQL injection series, administrators can disable the Reporting database user altogether, recognizing that reporting functionality will be suspended until patches are applied.
Ivanti EPM 2022 reached its end of life in October 2025.
Customers are strongly encouraged to migrate to EPM 2024, which incorporates key security improvements and hardening features that reduce exposure to these and future vulnerabilities.
Upgrade planning should factor in the staged release of SU4 and SU5, aligning testing windows and rollback procedures accordingly.
Network segmentation, least-privilege access controls, input validation policies, and regular security audits will further diminish the attack surface during the interim period.
By combining prompt updates with proactive defense-in-depth strategies, organizations can maintain operational stability while safeguarding against potential exploitation.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
The post Ivanti Patches 13 Critical Vulnerabilities in Endpoint Manager Enabling Remote Code Execution appeared first on Cyber Security News.
FORT WAYNE, Ind. (WOWO) — Rain is possible again in Indiana this weekend as temperatures…
MIAIMI COUNTY, Ind. (WOWO) — Federal government payments to keep immigration detainees at an Indiana…
U.S. Secretary of Defense Pete Hegseth listens to questions during a news conference at the…
Guess they weren’t kidding with that “Oscars host for life” sketch at last year’s show.…
Christopher Nolan has confirmed a casting twist for his upcoming “mythic action epic,” The Odyssey.…
Christopher Nolan has confirmed a casting twist for his upcoming “mythic action epic,” The Odyssey.…
This website uses cookies.