CVE-2025-6996
📋 TL;DR
This vulnerability in Ivanti Endpoint Manager allows a local authenticated attacker to decrypt other users' passwords due to improper encryption implementation. It affects Ivanti EPM versions before 2024 SU3 and 2022 SU8 Security Update 1. Attackers with local access can potentially compromise administrative credentials.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete domain compromise through privilege escalation, lateral movement across the network, and credential theft leading to data exfiltration or ransomware deployment.
Likely Case
Local privilege escalation allowing attackers to gain administrative access to the EPM system and potentially other connected systems.
If Mitigated
Limited to isolated systems with strict access controls, where compromised credentials have minimal impact.
🎯 Exploit Status
Requires local authenticated access. The vulnerability involves improper encryption implementation making exploitation straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024 SU3 or 2022 SU8 Security Update 1
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-July-2025-for-Ivanti-EPM-2024-SU2-and-EPM-2022-SU8
Restart Required: Yes
Instructions:
1. Download the appropriate patch from Ivanti support portal. 2. Apply patch to all EPM servers. 3. Update all managed endpoints through EPM console. 4. Restart affected systems as required.
🔧 Temporary Workarounds
Restrict Local Access
allLimit local login access to EPM systems to only authorized administrators
Network Segmentation
allIsolate EPM systems from general user networks to reduce attack surface
🧯 If You Can't Patch
- Implement strict access controls and monitor for unusual local authentication attempts
- Deploy additional credential protection measures and regularly rotate administrative passwords
🔍 How to Verify
Check if Vulnerable:
Check EPM version in console: Settings > About. If version is earlier than 2024 SU3 or 2022 SU8 Security Update 1, system is vulnerable.Check Version:
On Windows: reg query "HKLM\SOFTWARE\Ivanti\Endpoint Manager" /v Version. On Linux: Check /opt/ivanti/epm/version.txtVerify Fix Applied:
Verify version shows 2024 SU3 or 2022 SU8 Security Update 1 or later in EPM console.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful local login
- Unusual process execution from EPM agent directories
- Access to credential storage locations by non-admin users
Network Indicators:
- Unusual outbound connections from EPM systems
- Credential dumping tools communicating with EPM agents
SIEM Query:
source="epm_logs" AND (event_type="local_auth" AND user NOT IN admin_users) OR (process="*credential*" AND parent_process="epm_agent*")