CVE-2025-13661
📋 TL;DR
CVE-2025-13661 is a path traversal vulnerability in Ivanti Endpoint Manager that allows authenticated remote attackers to write arbitrary files outside intended directories. This affects Ivanti Endpoint Manager versions prior to 2024 SU4 SR1. User interaction is required for exploitation.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through arbitrary file writes leading to remote code execution, data exfiltration, or system destruction.
Likely Case
Unauthorized file modification, configuration tampering, or privilege escalation within the EPM environment.
If Mitigated
Limited impact with proper access controls, file integrity monitoring, and network segmentation in place.
🎯 Exploit Status
Requires authenticated access and user interaction; path traversal techniques are well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024 SU4 SR1
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024
Restart Required: Yes
Instructions:
1. Download Ivanti Endpoint Manager 2024 SU4 SR1 from the Ivanti portal. 2. Backup current configuration and database. 3. Run the installer on the EPM server. 4. Restart the EPM server services. 5. Verify successful update through the EPM console.
🔧 Temporary Workarounds
Restrict EPM Web Interface Access
allLimit access to the EPM web interface to only trusted IP addresses and users.
Configure firewall rules to restrict access to EPM ports (default 8443)
Implement Least Privilege Access
allReview and minimize user accounts with access to the EPM web interface.
Audit EPM user accounts and remove unnecessary administrative privileges
🧯 If You Can't Patch
- Implement strict network segmentation to isolate EPM servers from critical systems
- Deploy file integrity monitoring on EPM server directories to detect unauthorized file writes
🔍 How to Verify
Check if Vulnerable:
Check Ivanti Endpoint Manager version in the EPM console under Help > About. If version is earlier than 2024 SU4 SR1, the system is vulnerable.Check Version:
In EPM console: Navigate to Help > About to view version informationVerify Fix Applied:
Verify version shows 2024 SU4 SR1 or later in the EPM console. Test file upload functionality with path traversal attempts.📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations in EPM logs
- Path traversal patterns in web request logs (../ sequences)
- Failed authentication attempts followed by file upload requests
Network Indicators:
- Unusual file upload traffic to EPM web interface
- Multiple failed path traversal attempts
SIEM Query:
source="epm_logs" AND ("../" OR "..\" OR "%2e%2e%2f") AND ("upload" OR "write" OR "save")