Threat Insight
Multiple Ivanti Vulnerabilities Disclosed by Zero Day Initiative
Zero Day Initiative (ZDI) has recently disclosed 13 vulnerabilities in Ivanti Endpoint Manager[1]. As of writing, none of the disclosed vulnerabilities has a CVE attached to it. Instead, a ZDI number will be used and referenced.
ZDI-25-947:
This vulnerability allows local attackers to escalate privileges on affected installations of Ivanti Endpoint Manager. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability[14].
The specific flaw exists within the AgentPortal service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM[14].
Due to the majority of these vulnerabilities having the same results when exploited, we have bundled information about the attack vector and exploit results.
❗All vulnerabilities listed below allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit all of these vulnerabilities.
❗All vulnerabilities, except ZDE-25-935, could allow an attacker to execute code in the context of the service account.
ZDI-25-935:
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file[2].
The specific flaw exists within the implementation of the OnSaveToDB method. Due to lack of proper validation of a user-supplied path prior to using it in file operations. If exploited, code can be executed in the context of current user[2].
ZDI-25-936:
The specific flaw exists within the Report_Run2 class. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries[3].
ZDI-25-937:
The specific flaw exists within the Report_Run class. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries[4].
ZDI-25-938:
The specific flaw exists within the Report_RunPatch class. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries[5].
ZDI-25-939:
The specific flaw exists within the MP_VistaReport class. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries[6].
ZDI-25-940:
The specific flaw exists within the MP_QueryDetail class. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries[7].
ZDI-25-941:
The specific flaw exists within the implementation of the GetCountForQuery method. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries[8].
ZDI-25-942:
The specific flaw exists within the MP_QueryDetail2 class. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries[9].
ZDI-25-943:
The specific flaw exists within the PatchHistory class. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries[10].
ZDI-25-944:
The specific flaw exists within the implementation of the DBDR class. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries[11].
ZDI-25-945:
The specific flaw exists within the MP_Report_Run2 class. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries[12].
ZDI-25-946:
The specific flaw exists within the Report_RunPatch class. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries[13].
CVE
ZDI-25-935
ZDI-25-936
ZDI-25-937
ZDI-25-938
ZDI-25-939
ZDI-25-940
ZDI-25-941
ZDI-25-942
ZDI-25-943
ZDI-25-944
ZDI-25-945
ZDI-25-946
ZDI-25-947
Affected Products
Ivanti Endpoint Manager
Recommended Actions
At the time of writing, no patches are available for the disclosed vulnerabilities. Therefore, it is essential to prioritize reducing exposure and monitor for early indicators of compromise.
Consider[15]:
- Restricting access to Ivanti Endpoint Manager interfaces from the internet, and using VPN and IP whitelisting wherever possible.
- Applying least privilege principles for all user accounts interacting with Endpoint Manager, and monitoring for unexpected account activity.
- Reviewing audit logs for anomalous SQL queries or process executions tied to Endpoint Manager services.
- Implementing WAF or reverse proxies with strict input validation to block malicious SQL injection attempts.
References
[1] https://www.zerodayinitiative.com/advisories/published/
[2] https://www.zerodayinitiative.com/advisories/ZDI-25-935/ [3]https://www.zerodayinitiative.com/advisories/ZDI-25-936/ [4]https://www.zerodayinitiative.com/advisories/ZDI-25-937/ [5]https://www.zerodayinitiative.com/advisories/ZDI-25-938/ [6]https://www.zerodayinitiative.com/advisories/ZDI-25-939/ [7]https://www.zerodayinitiative.com/advisories/ZDI-25-940/ [8]https://www.zerodayinitiative.com/advisories/ZDI-25-941/ [9]https://www.zerodayinitiative.com/advisories/ZDI-25-942/ [10]https://www.zerodayinitiative.com/advisories/ZDI-25-943/ [11]https://www.zerodayinitiative.com/advisories/ZDI-25-944/ [12]https://www.zerodayinitiative.com/advisories/ZDI-25-945/ [13]https://www.zerodayinitiative.com/advisories/ZDI-25-946/ [14]https://www.zerodayinitiative.com/advisories/ZDI-25-947/
[15]https://cyberinsider.com/zdi-drops-13-unpatched-ivanti-zero-days-enabling-remote-code-execution/
Stay ahead with cyber insights
Newsletter
Stay ahead in cybersecurity! Sign up for Truesec’s newsletter to receive the latest insights, expert tips, and industry news directly to your inbox. Join our community of professionals and stay informed about emerging threats, best practices, and exclusive updates from Truesec.