Login Sign Up

CVE-2025-13659

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Ivanti Endpoint Manager allows remote, unauthenticated attackers to write arbitrary files to the server, which could lead to remote code execution. User interaction is required for exploitation. Organizations using Ivanti Endpoint Manager versions prior to 2024 SU4 SR1 are affected.

💻 Affected Systems

Products:
  • Ivanti Endpoint Manager
Versions: All versions prior to 2024 SU4 SR1
Operating Systems: Windows Server
Default Config Vulnerable: ⚠️ Yes
Notes: Requires user interaction for exploitation. Ivanti Endpoint Manager deployments on Windows Server platforms are primarily affected.

📦 What is this software?

Endpoint Manager by Ivanti

View all CVEs affecting Endpoint Manager →

Endpoint Manager by Ivanti

View all CVEs affecting Endpoint Manager →

Endpoint Manager by Ivanti

View all CVEs affecting Endpoint Manager →

Endpoint Manager by Ivanti

View all CVEs affecting Endpoint Manager →

Endpoint Manager by Ivanti

View all CVEs affecting Endpoint Manager →

Endpoint Manager by Ivanti

View all CVEs affecting Endpoint Manager →

Endpoint Manager by Ivanti

View all CVEs affecting Endpoint Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full system compromise, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

File system manipulation leading to service disruption, data corruption, or privilege escalation.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing exploitation attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction but is unauthenticated. No public proof-of-concept available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024 SU4 SR1

Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024

Restart Required: Yes

Instructions:

1. Download Ivanti Endpoint Manager 2024 SU4 SR1 from the Ivanti portal. 2. Backup current configuration and data. 3. Run the installer with administrative privileges. 4. Restart the server after installation completes.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to Ivanti Endpoint Manager servers to only trusted administrative networks.

User Awareness

all

Educate users about not interacting with suspicious links or content that could trigger the vulnerability.

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure to trusted IP addresses only.
  • Deploy web application firewall (WAF) rules to block suspicious file write attempts.

🔍 How to Verify

Check if Vulnerable:

Check Ivanti Endpoint Manager version in the administration console under Help > About.

Check Version:

Not applicable - use administration console interface

Verify Fix Applied:

Verify version shows 2024 SU4 SR1 or later in the administration console.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file write operations in Ivanti logs
  • Unexpected process creation from Ivanti services

Network Indicators:

  • Unusual outbound connections from Ivanti server
  • Suspicious file transfer patterns

SIEM Query:

source="ivanti_epm" AND (event_type="file_write" OR process_name="unusual_executable")

📊 Metadata

CVE ID: CVE-2025-13659
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-913
EPSS Score: 0.32% exploit probability (54.8th percentile)
Published: December 9, 2025
Last Updated: December 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13659, you might also want to check these:

CVE-2023-29017 10.0

CVE-2023-29017 is a critical sandbox escape vulnerability in vm2 that allows attackers to bypass san...

Same vulnerability type (CWE-913)
CVE-2026-25049 9.9

This vulnerability allows authenticated users with workflow creation/modification permissions in n8n...

Same vulnerability type (CWE-913)
CVE-2020-15568 9.8

CVE-2020-15568 is a critical remote code execution vulnerability in TerraMaster TOS that allows atta...

Same vulnerability type (CWE-913)