CVE-2025-62389
📋 TL;DR
This SQL injection vulnerability in Ivanti Endpoint Manager allows authenticated attackers to read arbitrary data from the database. Organizations using Ivanti EPM versions before 2024 SU5 are affected. The attacker must have valid credentials to exploit this vulnerability.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including sensitive configuration data, credentials, and endpoint information leading to lateral movement across the network.
Likely Case
Data exfiltration of endpoint management data, potentially exposing system configurations and asset information.
If Mitigated
Limited data exposure due to database permissions and network segmentation restricting the attacker's access scope.
🎯 Exploit Status
Requires authenticated access and SQL injection knowledge. No public exploit code available at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024 SU5 or later
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-October-2025
Restart Required: No
Instructions:
1. Download Ivanti Endpoint Manager 2024 SU5 or later from the Ivanti portal. 2. Backup current configuration and database. 3. Run the installer with administrative privileges. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to Ivanti EPM management interface to authorized administrative networks only.
Principle of Least Privilege
allReview and minimize user accounts with access to the EPM interface, ensuring only necessary personnel have administrative access.
🧯 If You Can't Patch
- Implement web application firewall (WAF) with SQL injection protection rules
- Enable database auditing and monitor for unusual SQL query patterns
🔍 How to Verify
Check if Vulnerable:
Check Ivanti EPM version in the web interface under Help > About or via command line: epm versionCheck Version:
epm versionVerify Fix Applied:
Verify version is 2024 SU5 or later in the web interface or via command line📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in database logs
- Multiple failed login attempts followed by successful authentication
Network Indicators:
- Unusual database query traffic from EPM application servers
- Large data transfers from EPM database
SIEM Query:
source="epm_logs" AND (sql OR query OR select) AND (error OR exception OR unusual)