CVE-2025-62387
📋 TL;DR
This SQL injection vulnerability in Ivanti Endpoint Manager allows authenticated attackers to read arbitrary data from the database. Organizations using Ivanti EPM versions before 2024 SU5 are affected. The attacker must have valid credentials to exploit this vulnerability.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could exfiltrate sensitive data including credentials, configuration details, and endpoint information, potentially leading to lateral movement and full system compromise.
Likely Case
Attackers with legitimate access could read sensitive database information, potentially exposing credentials, system configurations, or other protected data.
If Mitigated
With proper input validation and parameterized queries, the vulnerability would be prevented, limiting database access to authorized queries only.
🎯 Exploit Status
Requires authenticated access. SQL injection techniques are well-documented and tools like sqlmap could potentially exploit this.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024 SU5 or later
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-October-2025
Restart Required: No
Instructions:
1. Download Ivanti Endpoint Manager 2024 SU5 or later from the Ivanti portal. 2. Follow the standard upgrade procedure outlined in Ivanti documentation. 3. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation on all user-supplied parameters that interact with the database
Database Access Restriction
allApply principle of least privilege to database accounts used by Ivanti EPM
🧯 If You Can't Patch
- Implement network segmentation to restrict access to Ivanti EPM servers
- Enable detailed SQL query logging and monitor for suspicious database activity
🔍 How to Verify
Check if Vulnerable:
Check the Ivanti EPM version in the administration console or via the web interfaceCheck Version:
Check the version in Ivanti EPM web interface under Help > AboutVerify Fix Applied:
Verify the version shows 2024 SU5 or later after applying the patch📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in database logs
- Multiple failed login attempts followed by successful authentication
- Unusual data access patterns from authenticated users
Network Indicators:
- Unusual database query traffic from Ivanti EPM servers
- Large data transfers from database to unexpected destinations
SIEM Query:
source="database_logs" AND (query CONTAINS "UNION" OR query CONTAINS "SELECT *" OR query CONTAINS "INFORMATION_SCHEMA")