CVE-2025-5353
📋 TL;DR
A hardcoded cryptographic key in Ivanti Workspace Control allows local authenticated attackers to decrypt stored SQL database credentials. This affects all systems running Ivanti Workspace Control versions before 10.19.10.0. Attackers with local access can potentially compromise database authentication.
💻 Affected Systems
- Ivanti Workspace Control
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to SQL database credentials, leading to database compromise, data exfiltration, privilege escalation, and lateral movement within the network.
Likely Case
Local authenticated users decrypt SQL credentials to access databases they shouldn't have access to, potentially leading to data theft or unauthorized modifications.
If Mitigated
With proper network segmentation and database access controls, impact is limited to specific databases and contained within isolated segments.
🎯 Exploit Status
Exploitation requires local authenticated access but is technically simple once access is obtained. The hardcoded key makes decryption straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.19.10.0
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Workspace-Control-CVE-2025-5353-CVE-CVE-2025-22463-CVE-2025-22455
Restart Required: Yes
Instructions:
1. Download Ivanti Workspace Control version 10.19.10.0 or later from the Ivanti portal. 2. Run the installer with administrative privileges. 3. Follow the upgrade wizard. 4. Restart the system after installation completes.
🔧 Temporary Workarounds
Restrict Local Access
windowsLimit local user access to systems running Ivanti Workspace Control to only trusted administrators.
Database Access Controls
allImplement strict database access controls and network segmentation to limit potential damage if credentials are compromised.
🧯 If You Can't Patch
- Implement strict principle of least privilege for local user accounts on affected systems
- Monitor database access logs for unusual activity from Workspace Control service accounts
🔍 How to Verify
Check if Vulnerable:
Check the installed version of Ivanti Workspace Control via Control Panel > Programs and Features or using PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Workspace Control*'} | Select-Object Name, VersionCheck Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Workspace Control*'} | Select-Object VersionVerify Fix Applied:
Verify the version is 10.19.10.0 or higher using the same version check command. Also verify that SQL credentials are no longer stored with the vulnerable encryption method.📡 Detection & Monitoring
Log Indicators:
- Unusual database access from Workspace Control service accounts
- Multiple failed authentication attempts to SQL databases from unexpected sources
- Changes to Workspace Control configuration files
Network Indicators:
- Unexpected SQL database connections from Workspace Control hosts
- Database queries from unauthorized user accounts
SIEM Query:
source="windows_security" EventID=4625 AND TargetUserName LIKE "%SQL%" OR source="sql_server" EventCode=18456 AND LoginName LIKE "%WorkspaceControl%"