The Zero Day Initiative (ZDI) has publicly disclosed 13 unpatched zero-day vulnerabilities affecting Ivanti Endpoint Manager. These vulnerabilities were privately reported to Ivanti between June and November 2024, but released publicly after the vendor failed to provide patches within a timeline acceptable to ZDI. The two most critical bugs offer attackers unauthenticated remote code execution (ZDI-25-935) and escalation to SYSTEM-level privileges (ZDI-25-947), while the remaining 11 are post-authentication SQL injection flaws that could lead to further remote or arbitrary code execution. These vulnerabilities represent a significant risk as two or more could be chained together to achieve full system compromise.

Affected Systems and/or Applications

Ivanti Endpoint Manager: all currently supported versions, cloud and on-prem.

Technical Details / Attack Overview

The disclosed vulnerabilities consist of:

• ZDI-25-935: An unauthenticated directory traversal vulnerability in the OnSaveToDB method that allows remote code execution with minimal user interaction. Attackers can exploit this by sending specially crafted HTTP requests that traverse directory structures to execute arbitrary code. No user interaction is required if the attacker has administrative credentials to the application.
• ZDI-25-947: A deserialization vulnerability in the AgentPortal service that enables local privilege escalation to SYSTEM. This flaw occurs when the service processes untrusted data during deserialization operations.
• 11 additional authenticated RCE vulnerabilities: Post-authentication SQL injection flaws which also enable remote code execution. These vulnerabilities exist in various functions within the Endpoint Manager application; check ZDI's published advisories (in references below) for further details.

Temporary Workarounds and Mitigations

Until official patches are released by Ivanti, recommended actions include:

• Restrict internet access to Ivanti Endpoint Manager interfaces wherever possible.
• Consider implementing a WAF or reverse proxy for further sanitization of requests to the EPM.
• Restrict outbound connections from Ivanti servers to prevent potential command and control communications.
• Ensure least privilege principles for all users interacting with Endpoint Manager.

What the Cyber Fusion Center is Doing

The CFC will continue monitoring the situation surrounding these vulnerabilities. Exploration of threat hunting possibilities is ongoing. An advisory update will be issued if new information becomes available that could further impact affected systems or require additional mitigation steps.

References

• https://www.zerodayinitiative.com/advisories/ZDI-25-935/
• https://www.zerodayinitiative.com/advisories/ZDI-25-947/
• https://www.zerodayinitiative.com/advisories/published/
• https://cyberinsider.com/zdi-drops-13-unpatched-ivanti-zero-days-enabling-remote-code-execution/

‍