CVE-2025-22455
📋 TL;DR
A hardcoded cryptographic key in Ivanti Workspace Control allows local authenticated attackers to decrypt stored SQL database credentials. This affects all versions before 10.19.0.0. Attackers with local access can potentially compromise database authentication.
💻 Affected Systems
- Ivanti Workspace Control
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to SQL database credentials, leading to database compromise, data exfiltration, privilege escalation, and lateral movement within the network.
Likely Case
Local authenticated users decrypt SQL credentials to access databases they shouldn't have access to, potentially leading to data theft or unauthorized modifications.
If Mitigated
With proper network segmentation and least privilege access, impact is limited to specific database instances accessible from the compromised system.
🎯 Exploit Status
Exploitation requires local authenticated access and knowledge of the hardcoded key. The vulnerability is straightforward to exploit once the key is known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.19.0.0
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Workspace-Control-CVE-2025-5353-CVE-CVE-2025-22463-CVE-2025-22455
Restart Required: Yes
Instructions:
1. Download Ivanti Workspace Control version 10.19.0.0 or later from the Ivanti portal. 2. Run the installer with administrative privileges. 3. Follow the upgrade wizard. 4. Restart affected systems after installation completes.
🔧 Temporary Workarounds
Restrict Local Access
windowsLimit local login access to Ivanti Workspace Control systems to only authorized administrators
Database Access Controls
allImplement strict database access controls and network segmentation to limit potential damage from credential compromise
🧯 If You Can't Patch
- Implement strict least privilege access controls on all systems running Ivanti Workspace Control
- Monitor database access logs for unusual activity from Ivanti Workspace Control systems
🔍 How to Verify
Check if Vulnerable:
Check the Ivanti Workspace Control version in the application interface or registry at HKEY_LOCAL_MACHINE\SOFTWARE\Ivanti\Workspace Control\VersionCheck Version:
reg query "HKLM\SOFTWARE\Ivanti\Workspace Control" /v VersionVerify Fix Applied:
Verify the version is 10.19.0.0 or higher after patching📡 Detection & Monitoring
Log Indicators:
- Unusual database access patterns from Ivanti Workspace Control systems
- Multiple failed login attempts to databases from Ivanti systems
Network Indicators:
- Unexpected database connections from Ivanti Workspace Control servers
- SQL protocol traffic from non-database servers
SIEM Query:
source="Ivanti-Workspace-Control" AND (event_type="database_access" OR event_type="credential_access")