CVE-2025-62384
📋 TL;DR
This SQL injection vulnerability in Ivanti Endpoint Manager allows authenticated attackers to read arbitrary database data. Organizations using Ivanti EPM versions before 2024 SU5 are affected. Attackers must have valid credentials to exploit this vulnerability.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including sensitive configuration data, credentials, and endpoint information leading to lateral movement and privilege escalation.
Likely Case
Unauthorized access to sensitive endpoint management data, configuration details, and potentially credential harvesting.
If Mitigated
Limited data exposure due to proper input validation and database permissions restricting accessible tables.
🎯 Exploit Status
Requires authenticated access and SQL injection knowledge. No public exploit code available as of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024 SU5 or later
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-October-2025
Restart Required: No
Instructions:
1. Download Ivanti Endpoint Manager 2024 SU5 or later from Ivanti portal. 2. Backup current configuration. 3. Apply the update following Ivanti's upgrade documentation. 4. Verify successful installation.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation for database queries in custom integrations
Database Permission Restriction
allApply principle of least privilege to database user accounts used by EPM
🧯 If You Can't Patch
- Implement strict network segmentation to isolate EPM servers from untrusted networks
- Enforce strong authentication policies and monitor for suspicious authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check Ivanti EPM version in Administration Console under Help > AboutCheck Version:
Not applicable - check via web interface or Ivanti management consoleVerify Fix Applied:
Confirm version is 2024 SU5 or later and test SQL injection payloads return errors instead of data📡 Detection & Monitoring
Log Indicators:
- Unusual database query patterns
- Multiple failed SQL syntax attempts followed by successful complex queries
- Authentication logs showing unusual user behavior
Network Indicators:
- Unusual SQL query patterns in database traffic
- HTTP requests containing SQL keywords to EPM endpoints
SIEM Query:
source="epm_logs" AND (message="*sql*" OR message="*select*" OR message="*union*") AND NOT message="*normal*"