Ivanti has recently addressed three high-severity vulnerabilities in its Endpoint Manager (EPM) software. These flaws could allow attackers to decrypt other users’ passwords or access sensitive database information if exploited. This blog post provides a detailed overview of these vulnerabilities and the necessary steps to mitigate potential risks for organizations relying on Ivanti EPM.
Vulnerability Overview
The recent security update from Ivanti targets three specific vulnerabilities, each with a high severity rating according to the Common Vulnerability Scoring System (CVSS).
- CVE-2025-6995 & CVE-2025-6996: Improper Encryption – These vulnerabilities stem from improper use of encryption in the EPM agent. Both carry a CVSS score of 8.4 (High) and could enable a local authenticated attacker to decrypt other users’ passwords.
- CVE-2025-7037: SQL Injection – This vulnerability involves an SQL injection flaw with a CVSS score of 7.2 (High), allowing a remote authenticated attacker with admin privileges to read arbitrary data from the database.
A detailed breakdown of the vulnerabilities is presented below:
| CVE Number | CVE Number | CVSS Score | CVSS Vector | CVSS Vector |
|---|---|---|---|---|
| CVE-2025-6995 | Improper encryption in the EPM agent allows a local authenticated attacker to decrypt passwords. | 8.4 (High) | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N | CWE-257 |
| CVE-2025-6996 | SQL injection in EPM allows a remote admin attacker to read the database data. | 8.4 (High) | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N | CWE-257 |
| CVE-2025-7037 | SQL injection in EPM allows remote admin attacker to read database data. | 7.2 (High) | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | CWE-89 |
Affected Versions and Solutions
These vulnerabilities affect Ivanti Endpoint Manager versions before 2024 SU3 and 2022 SU8 Security Update 1. The encryption flaws specifically target the agent component, making local access a potential gateway for attackers to compromise user credentials.
The affected versions and corresponding resolved versions are:
| Product Name | Affected Version(s) | Resolved Version(s) |
|---|---|---|
| Ivanti Endpoint Manager | 2022 SU8 and prior | 2022 SU8 Security Update 1 |
| Ivanti Endpoint Manager | 2024 SU2 and prior | 2024 SU3 |
Organizations using affected versions are strongly advised to update immediately to the resolved versions – 2024 SU3 or 2022 SU8 Security Update 1.
TTP Analysis
The vulnerabilities in Ivanti Endpoint Manager allow attackers to perform various malicious activities:
- T1081 – Credentials in Files: CVE-2025-6995 and CVE-2025-6996 enable local attackers to decrypt user passwords, potentially gaining unauthorized access to user accounts.
- T1005 – Data from Local System: CVE-2025-7037 allows remote attackers with administrative privileges to perform SQL injection attacks, potentially exfiltrating sensitive data from the database.
These vulnerabilities highlight the importance of securing endpoint management tools and following the principle of least privilege to prevent unauthorized access and data breaches. The tactics used by attackers align with gaining unauthorized access to credentials and exfiltrating valuable data from the compromised system. These tactics fall under TA0006 – Credential Access and TA0009 – Collection tactics.
Mitigation and Recommendations
Ivanti has emphasized that there is no evidence of actively exploiting these vulnerabilities before their disclosure. The issues were reported through the company’s responsible disclosure program, ensuring timely patches before any known attacks. To mitigate the risks, organizations should take the following actions:
- Immediate Updates: Without delay, apply the necessary updates to the resolved versions (2024 SU3 or 2022 SU8 Security Update 1).
- System Audits: IT administrators should audit their systems for affected versions of Ivanti Endpoint Manager.
- Unusual Activity Monitoring: While no exploitation has been reported, monitor systems for unusual activity as a precaution.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.