CVE-2025-62383
📋 TL;DR
This SQL injection vulnerability in Ivanti Endpoint Manager allows authenticated attackers to read arbitrary database data. Organizations using Ivanti EPM versions before 2024 SU5 are affected, potentially exposing sensitive information stored in the database.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including credentials, configuration data, and sensitive organizational information leading to data breach and lateral movement.
Likely Case
Unauthorized access to sensitive data stored in the EPM database, potentially including endpoint information, user data, and system configurations.
If Mitigated
Limited data exposure due to proper input validation and database permissions, with only non-sensitive data accessible.
🎯 Exploit Status
Requires authenticated access to the EPM web interface. SQL injection techniques can be used to extract database information.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024 SU5 or later
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-October-2025
Restart Required: No
Instructions:
1. Download Ivanti Endpoint Manager 2024 SU5 or later from the Ivanti portal. 2. Follow standard Ivanti EPM upgrade procedures. 3. Verify successful installation and functionality.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation on affected endpoints to filter SQL injection attempts
Database Permission Restriction
allLimit database user permissions to minimum required access for EPM application
🧯 If You Can't Patch
- Implement web application firewall (WAF) with SQL injection rules
- Restrict network access to EPM interface to authorized users only
🔍 How to Verify
Check if Vulnerable:
Check Ivanti EPM version in administration console. If version is earlier than 2024 SU5, system is vulnerable.Check Version:
Check Ivanti EPM console → Help → About or use Ivanti EPM command line toolsVerify Fix Applied:
Confirm version shows 2024 SU5 or later in administration console and test SQL injection attempts are blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual database queries from EPM application
- Multiple failed SQL query attempts
- Suspicious parameter values in web logs
Network Indicators:
- SQL error messages in HTTP responses
- Unusual database connection patterns from EPM server
SIEM Query:
source="epm_logs" AND ("sql" OR "database" OR "query") AND ("error" OR "exception" OR "injection")