CVE-2025-62390
📋 TL;DR
This SQL injection vulnerability in Ivanti Endpoint Manager allows authenticated attackers to read arbitrary database data. Organizations using Ivanti EPM versions before 2024 SU5 are affected. The attacker must have valid credentials to exploit this vulnerability.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including sensitive configuration data, credentials, and endpoint information leading to lateral movement and privilege escalation.
Likely Case
Unauthorized access to sensitive endpoint management data, configuration details, and potentially credential extraction.
If Mitigated
Limited data exposure due to network segmentation and strict access controls, with no lateral movement possible.
🎯 Exploit Status
Requires authenticated access and SQL injection knowledge. No public exploit code available as of advisory publication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024 SU5 or later
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-October-2025
Restart Required: No
Instructions:
1. Download Ivanti Endpoint Manager 2024 SU5 or later from the Ivanti portal. 2. Follow standard Ivanti EPM upgrade procedures. 3. Verify successful installation and functionality.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to Ivanti EPM management interfaces to authorized administrative networks only.
Principle of Least Privilege
allReview and minimize user accounts with administrative access to Ivanti EPM.
🧯 If You Can't Patch
- Implement web application firewall (WAF) with SQL injection protection rules
- Enable detailed logging and monitoring for suspicious database queries
🔍 How to Verify
Check if Vulnerable:
Check Ivanti EPM version in administration console under Help > About.Check Version:
Not applicable - use web interface or check installation directory version filesVerify Fix Applied:
Confirm version is 2024 SU5 or later in administration console.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns in database logs
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- Unusual database query traffic from EPM application servers
- SQL error messages in HTTP responses
SIEM Query:
source="epm_logs" AND (message="*sql*" OR message="*database*" OR message="*query*") AND severity="ERROR"