CVE-2025-62385
📋 TL;DR
This SQL injection vulnerability in Ivanti Endpoint Manager allows authenticated attackers to read arbitrary database data. Organizations using Ivanti EPM versions before 2024 SU5 are affected. The attacker must have valid credentials to exploit this vulnerability.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including sensitive configuration data, credentials, and endpoint information leading to lateral movement across the network.
Likely Case
Data exfiltration of endpoint management data, potentially exposing system configurations and asset information.
If Mitigated
Limited data exposure due to proper input validation and database permissions restricting access to sensitive tables.
🎯 Exploit Status
Requires authenticated access and SQL injection knowledge. No public exploit code available as of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024 SU5 or later
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-October-2025
Restart Required: No
Instructions:
1. Download Ivanti Endpoint Manager 2024 SU5 or later from Ivanti portal. 2. Backup current configuration and database. 3. Run the installer with administrative privileges. 4. Follow upgrade wizard prompts. 5. Verify successful upgrade in EPM console.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation at web application layer to sanitize SQL queries
Database Permission Restriction
allApply principle of least privilege to database user accounts used by EPM
🧯 If You Can't Patch
- Implement network segmentation to restrict access to EPM management interface to authorized users only
- Enable detailed SQL query logging and monitor for unusual database access patterns
🔍 How to Verify
Check if Vulnerable:
Check Ivanti EPM version in Administration > About. If version is earlier than 2024 SU5, system is vulnerable.Check Version:
In EPM console: Navigate to Administration > About to view versionVerify Fix Applied:
Verify version shows 2024 SU5 or later in Administration > About. Test SQL injection attempts should be blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in database logs
- Multiple failed login attempts followed by successful authentication
- Unexpected database read operations from EPM application user
Network Indicators:
- Unusual database connection patterns from EPM server
- Large data transfers from database to EPM application
SIEM Query:
source="epm_logs" AND (event="sql_error" OR event="database_query") AND query CONTAINS "UNION" OR query CONTAINS "SELECT * FROM"