Multiple Remote Code Execution Vulnerabilities in Ivanti Endpoint Manager
Ivanti Endpoint Manager has been found to contain several critical vulnerabilities that could allow remote code execution (RCE) by attackers. The Zero Day Initiative (ZDI) disclosed thirteen vulnerabilities affecting undisclosed versions of Ivanti Endpoint Manager, with several remaining unpatched at the time of disclosure. Among these, ZDI-25-935 is particularly severe, enabling a remote, unauthenticated attacker to achieve RCE if they can trick a user into visiting a malicious webpage or opening a malicious file. Alternatively, attackers with administrative credentials can exploit this vulnerability without user interaction. This flaw arises from improper validation of user-supplied paths in the OnSaveToDB method, resulting in a path traversal vulnerability. Another significant vulnerability, ZDI-25-952 (CVE-2025-9872), involves the UniqueFilename attribute, where insufficient validation allows unrestricted file uploads. Exploitation of this flaw enables attackers to execute arbitrary code in the context of the NETWORK SERVICE account, again requiring either user interaction or administrative credentials. The CVSS score for these vulnerabilities is high, with ZDI-25-935 and ZDI-25-952 both rated at 8.8, indicating a critical risk to organizations using affected versions of Ivanti Endpoint Manager. Additional vulnerabilities, such as ZDI-25-936 and ZDI-25-947, involve SQL injection and privilege escalation, further increasing the attack surface. The SQL injection vulnerabilities stem from improper validation of user-supplied strings in the Report_Run and Report_Run2 classes, allowing attackers to execute code as the service account. Ivanti has responded by issuing updates to address at least some of these vulnerabilities, specifically releasing a patch for CVE-2025-9872. The vulnerabilities were reported to Ivanti in June 2025, with coordinated public disclosure occurring in October 2025. Attackers exploiting these flaws could gain significant control over affected systems, potentially leading to data theft, lateral movement, or disruption of endpoint management operations. Organizations are strongly advised to identify Ivanti Endpoint Manager installations within their networks and apply the latest security updates as soon as possible. The vulnerabilities highlight the importance of robust input validation and secure file handling in enterprise software. Security teams should also review user privileges and monitor for suspicious activity related to file uploads or unusual database queries. Given the critical nature of these vulnerabilities and the potential for exploitation, prompt remediation and heightened vigilance are essential for organizations relying on Ivanti Endpoint Manager.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
runZero publishes guidance to identify Ivanti Endpoint Manager installations
runZero published a blog post explaining how defenders can find Ivanti Endpoint Manager installations on their networks, likely in response to the disclosed security risk.
ZDI discloses Ivanti Endpoint Manager file upload RCE vulnerability
The Zero Day Initiative published advisory ZDI-25-952 for an Ivanti Endpoint Manager vulnerability involving unrestricted file upload via UniqueFilename that can lead to remote code execution.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple High-Severity Vulnerabilities in Ivanti Endpoint Manager Including Remote Code Execution and SQL Injection
Ivanti Endpoint Manager has been found to contain a total of 13 security vulnerabilities, including high-severity remote code execution (RCE) and 11 SQL injection flaws. Security researchers disclosed that these vulnerabilities could allow attackers to compromise systems managed by Ivanti Endpoint Manager, a widely used enterprise IT management solution. Among the most critical issues is CVE-2025-9713, which enables remote, unauthenticated attackers to achieve code execution through a path traversal flaw, provided user interaction occurs. The CVSS score for this vulnerability is 8.8, indicating a high risk to organizations using affected versions. The vulnerabilities were publicly disclosed in mid-October 2025, prompting urgent attention from security teams. The SQL injection vulnerabilities could allow attackers to manipulate backend databases, potentially leading to data exfiltration or further compromise of the management infrastructure. The RCE flaw, in particular, poses a significant threat as it could be exploited remotely, increasing the attack surface for threat actors. Ivanti has not yet published a comprehensive list of affected product versions, but the risk profile suggests that a broad range of deployments may be impacted. Security advisories recommend immediate review of Ivanti Endpoint Manager deployments and the application of any available patches or mitigations. Organizations are urged to monitor for signs of exploitation and to implement network segmentation to limit potential lateral movement. The vulnerabilities highlight the ongoing risks associated with enterprise management platforms, which often have elevated privileges across corporate environments. No reports of active exploitation have been confirmed at the time of disclosure, but the technical details suggest that exploitation would be feasible for skilled attackers. The disclosure underscores the importance of timely vulnerability management and the need for robust monitoring of critical IT infrastructure. Security teams should prioritize patching and consider additional controls such as application whitelisting and enhanced logging. The incident serves as a reminder of the potential impact of vulnerabilities in widely deployed enterprise software. Given the severity and nature of the flaws, organizations should treat this as a high-priority security event. The situation remains dynamic as further technical details and remediation guidance are expected from Ivanti and the security community.
Mar 21, 2026
Critical Remote Code Execution Vulnerability in Ivanti Endpoint Manager (CVE-2025-10573)
Ivanti has disclosed a critical vulnerability (CVE-2025-10573) in its Endpoint Manager (EPM) software, which allows unauthenticated remote attackers to execute arbitrary JavaScript code via a stored cross-site scripting (XSS) attack. The flaw enables attackers to register fake managed endpoints to the EPM server, thereby injecting malicious JavaScript into the administrator web dashboard. When an administrator interacts with the compromised dashboard, the attacker can hijack the session and potentially gain full control over the EPM environment. Ivanti has released a patch (EPM 2024 SU4 SR1) to address this issue and strongly urges customers to update, especially since hundreds of EPM instances are exposed to the internet, increasing the risk of exploitation. The vulnerability, assigned a CVSS score of 9.6, affects EPM versions 2024 SU4 and below. Security researchers at Rapid7, who discovered and reported the flaw, emphasize the urgency of patching due to the unauthenticated nature of the attack vector. Ivanti EPM is widely used for endpoint management, remote administration, and compliance, making it a high-value target for attackers. In addition to CVE-2025-10573, Ivanti has also released fixes for three other high-severity vulnerabilities in the same update cycle. Security teams are advised to apply the latest patches immediately and review the exposure of EPM instances to the internet to mitigate the risk of compromise.
Mar 21, 2026
Critical Ivanti EPMM RCE Flaws Exploited to Compromise On-Premises Servers
Ivanti warned that its on-premises **Endpoint Manager Mobile (EPMM)** product contains two critical vulnerabilities, **`CVE-2026-1281`** and **`CVE-2026-1340`**, that can let an unauthenticated remote attacker execute arbitrary commands or code over the network. The flaws affect exposed EPMM servers and create a path to full server compromise and possible lateral movement into internal environments. Ivanti said its cloud offerings, including **Ivanti Neurons for MDM**, and the separate **Ivanti Endpoint Manager (EPM)** product are not affected, and it released patches, incident-response guidance, and a detection tool to help customers assess exposure and compromise. Follow-up advisories said the vulnerabilities are being **actively exploited**, prompting defenders to inspect EPMM systems for anomalous logs, unauthorized administrator-account changes, and suspicious device-configuration modifications. A later update citing Germany's **BSI** said exploitation may date back to **summer 2025**, expanding the scope of required forensic review beyond recent activity. Public reporting from security researchers, including Palo Alto Networks Unit 42 and vulnerability tracking sources, reinforced that the issue is an unauthenticated remote code execution risk requiring immediate patching and retrospective compromise hunting on affected on-premises deployments.
May 25, 2026