CVE-2025-10918
📋 TL;DR
This vulnerability allows local authenticated attackers to write arbitrary files anywhere on disk due to insecure default permissions in Ivanti Endpoint Manager agent. It affects organizations using Ivanti EPM versions before 2024 SU4 with local authenticated users.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via privilege escalation to SYSTEM/root, installation of persistent malware, or destruction of critical system files leading to operational disruption.
Likely Case
Local privilege escalation by authenticated users to gain administrative privileges, modify system configurations, or install unauthorized software.
If Mitigated
Limited impact if proper access controls, least privilege principles, and file integrity monitoring are implemented to detect unauthorized file writes.
🎯 Exploit Status
Exploitation requires local authenticated access but is straightforward once access is obtained. No public exploit code identified at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024 SU4 or later
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-November-2025-for-EPM-2024?language=en_US
Restart Required: Yes
Instructions:
1. Download Ivanti EPM 2024 SU4 or later from Ivanti support portal. 2. Deploy update through EPM console or manually install on endpoints. 3. Restart affected systems to apply changes.
🔧 Temporary Workarounds
Restrict local user permissions
allApply strict access controls to limit which local users can interact with EPM agent directories and processes
Implement file integrity monitoring
allMonitor critical system directories for unauthorized file writes using tools like Windows Defender ATP, auditd, or third-party FIM solutions
🧯 If You Can't Patch
- Implement strict least privilege access controls to limit local user permissions on endpoints
- Deploy application whitelisting to prevent execution of unauthorized binaries written via this vulnerability
🔍 How to Verify
Check if Vulnerable:
Check Ivanti EPM agent version on endpoints. Versions before 2024 SU4 are vulnerable.Check Version:
On Windows: Check EPM agent version in Control Panel > Programs. On Linux: Check /opt/ivanti/epm/version or similar installation directory.Verify Fix Applied:
Verify agent version is 2024 SU4 or later and test file write permissions to system directories from non-privileged accounts.📡 Detection & Monitoring
Log Indicators:
- Unusual file writes to system directories by EPM agent process
- Failed privilege escalation attempts from local users
- Modifications to EPM agent configuration files
Network Indicators:
- Unusual outbound connections from endpoints after local privilege escalation
SIEM Query:
Process creation where parent process is Ivanti EPM agent writing to sensitive system directories