CVE-2025-11622 – This vulnerability allows a local authenticated... (How to Fix)

Q: What is the severity of CVE-2025-11622?

CVE-2025-11622 has a CVSS score of 7.8 (HIGH). This vulnerability allows a local authenticated attacker to exploit insecure deserialization in Ivanti Endpoint Manager to escalate their privileges. Attackers with existing local access can gain higher privileges on the system. Organizations using Ivanti Endpoint Manager versions before 2024 SU4 are affected.

📋 TL;DR

This vulnerability allows a local authenticated attacker to exploit insecure deserialization in Ivanti Endpoint Manager to escalate their privileges. Attackers with existing local access can gain higher privileges on the system. Organizations using Ivanti Endpoint Manager versions before 2024 SU4 are affected.

💻 Affected Systems

Products:

Ivanti Endpoint Manager

Versions: All versions before 2024 SU4

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability affects the core EPM product regardless of configuration. Local authentication is required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrative privileges, enabling lateral movement, data exfiltration, and persistence mechanisms installation.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, access sensitive data, and execute arbitrary code with elevated permissions.

🟢

If Mitigated

Limited impact if proper access controls, network segmentation, and monitoring are in place to detect and contain privilege escalation attempts.

🌐 Internet-Facing: LOW - This vulnerability requires local authenticated access, making direct internet exploitation unlikely unless combined with other attack vectors.

🏢 Internal Only: HIGH - Attackers with initial foothold on internal systems can exploit this to escalate privileges and move laterally within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of deserialization attacks and local system access. No public exploit code is currently available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024 SU4 or later

Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-October-2025

Restart Required: Yes

Instructions:

1. Download Ivanti Endpoint Manager 2024 SU4 or later from the Ivanti portal. 2. Backup current configuration and data. 3. Run the installer with administrative privileges. 4. Restart the EPM services and affected systems.

🔧 Temporary Workarounds

Restrict Local Access

all

Limit local user accounts and implement strict access controls to reduce attack surface

Application Whitelisting

windows

Implement application control policies to prevent unauthorized code execution

🧯 If You Can't Patch

Implement strict principle of least privilege for all user accounts
Deploy enhanced monitoring for privilege escalation attempts and unusual process activity

🔍 How to Verify

Check if Vulnerable:

Check Ivanti EPM version in the console or via 'ivanti-epm --version' command

Check Version:

ivanti-epm --version

Verify Fix Applied:

Verify version is 2024 SU4 or later and test privilege escalation attempts fail

📡 Detection & Monitoring

Log Indicators:

Unusual process creation with elevated privileges
Failed privilege escalation attempts
Deserialization-related errors in application logs

Network Indicators:

Unusual outbound connections from EPM servers
Lateral movement attempts from EPM systems

SIEM Query:

source="epm_logs" AND (event_type="privilege_escalation" OR process_name="*deserialize*")

📊 Metadata

CVE ID: CVE-2025-11622

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 0.15% exploit probability (35.6th percentile)

Published: October 13, 2025

Last Updated: November 11, 2025

🔗 References

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-October-2025 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11622, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Endpoint Manager by Ivanti

Endpoint Manager by Ivanti

Endpoint Manager by Ivanti

Endpoint Manager by Ivanti

Endpoint Manager by Ivanti

Endpoint Manager by Ivanti

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Local Access

Application Whitelisting

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities