Full Report
Multiple vulnerabilities have been discovered in Ivanti products, the most severe of which could allow for remote code execution. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the system.Ivanti Endpoint Manager is a client-based unified endpoint management software.Ivanti Endpoint Manager Mobile (Ivanti EPMM) is a mobile management software engine that enables mobile device, application, and content management.Ivanti Neurons for Mobile Device Management (MDM) is a platform designed to streamline the management and security of mobile devices across various operating systems.Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Ivanti Products Leading to Remote Code Execution
## CVE Details
*Due to the nature of the source article listing multiple CVEs without assigning specific scores or CWEs universally across all listed items, the summary below focuses on the most severe, named vulnerability (CVE-2025-9713) and lists others where detail permits.*
- CVE ID: CVE-2025-9713 (Most Severe Mentioned)
- CVSS Score: *Not explicitly provided for the highest severity vulnerability in the summary, but exploitation leads to RCE.*
- CWE: *Not explicitly provided for CVE-2025-9713, but other issues map to CWE-862, CWE-308, CWE-306.*
## Affected Systems
- Products:
* Ivanti Endpoint Manager (EPM)
* Ivanti Endpoint Manager Mobile (EPMM)
* Ivanti Neurons for Mobile Device Management (MDM)
- Versions:
* EPM: 2024 SU3 SR1 and prior; 2022 SU8 SR2 and prior
* EPMM: 12.6.0.1 and prior; 12.5.0.2 and prior; 12.4.0.3 and prior
* Neurons for MDM: R118 and prior (for some flaws); R119 and prior (for MFA/Auth bypass flaws)
- Configurations: Systems running these specific product versions.
## Vulnerability Description
Multiple vulnerabilities exist across Ivanti products. The most severe stems from a **Path Traversal vulnerability in Ivanti Endpoint Manager** allowing a remote, unauthenticated attacker to achieve Remote Code Execution (RCE) in the context of the system. Exploitation allows the attacker to install programs, and view, change, or delete data, with impact scaling based on the privileges of the compromised account (admin accounts highly impacted).
Other vulnerabilities include:
* OS command injection (requiring admin privileges) in EPMM.
* Path traversal leading to unintended disk writes (requiring admin privileges) in EPMM.
* Privilege escalation via Insecure Deserialization in EPM (Local, Authenticated).
* SQL Injection in EPM (Remote, Authenticated) allowing data reading.
* Missing authorization (CWE-862), MFA Bypass (CWE-308), and Missing Authentication (CWE-306) in Ivanti Neurons for MDM.
## Exploitation
- Status: Currently no reports of exploitation in the wild for these specific vulnerabilities.
- Complexity: CVE-2025-9713 (RCE via Path Traversal) noted that **User interaction may be required**. Other flaws require authentication or administrative privileges.
- Attack Vector: Network (for RCE/SQLi); Local (for Privilege Escalation).
## Impact
Successful exploitation of the most severe vulnerability (RCE) allows significant impact:
- Confidentiality: High (View data)
- Integrity: High (Change/Delete data, install programs)
- Availability: High (Dependent on the specific action taken by the attacker post-RCE)
## Remediation
### Patches
Vendors have released updates. Users must apply patches immediately after testing.
* **Ivanti EPM, EPMM:** Consult vendor advisories for specific patch versions addressing the identified CVEs.
* Patches exist for EPMM versions to address command injection and path traversal related to 12.6.0.2, 12.5.0.4, and 12.4.0.4.
* **Ivanti Neurons for MDM:** Updates are available before R119 (for MFA bypass) and R118 (for Authorization/Authentication flaws).
### Workarounds
No explicit workarounds were detailed in the provided summary context, though general vulnerability management practices were recommended.
## Detection
- Indicators of compromise depend on the specific exploited vulnerability, but successful RCE exploitation could manifest as unexpected processes running or unauthorized file modifications.
- Detection methods rely on applying vendor security advisories and maintaining a **Vulnerability Management Process (Safeguard 7.1)** and a **Remediation Process (Safeguard 7.2)**.
## References
- [Ivanti Security Advisory: EPMM October 2025 Multiple CVEs](https://forums.ivanti.com/s/article/Security-Advisory-Endpoint-Manager-Mobile-EPMM-10-2025-Multiple-CVEs?language=en_US&_gl=1*y8551y*_gcl_au*MTE4NTQxNDAxMS4xNzU3NDM5NzI5)
- [Ivanti Security Advisory: Neurons for MDM October 2025](https://forums.ivanti.com/s/article/October-2025-Security-Advisory-Ivanti-Neurons-for-MDM?language=en_US&_gl=1*y8551y*_gcl_au*MTE4NTQxNDAxMS4xNzU3NDM5NzI5)
- [Ivanti Security Advisory: EPM October 2025](https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-October-2025?language=en_US)