- 79/2025
- High
Ivanti has released a security update to fix several vulnerabilities affecting multiple Ivanti products.
The addressed vulnerabilities could allow the attacker to conduct cross-site scripting attacks, obtain sensitive information, perform denial of service attacks, gain elevated privileges, or execute arbitrary code and gain access to the affected systems.
Sample of the addressed vulnerabilities:
1. Ivanti Endpoint Manager Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2025-22466):
- CVSS: 8.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Gain Privileges
2. Ivanti Endpoint Manager SQL Injection Vulnerability (CVE-2025-22461):
- CVSS: 7.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Gain Access
The affected products:
- Ivanti Endpoint Manager EPM version “2022 SU6” and previous.
- Ivanti Endpoint Manager EPM version “2024”.
Vulnerabilities
- CVE-2025-22464
- CVE-2025-22465
- CVE-2025-22466
- CVE-2025-22458
- CVE-2025-22459
- CVE-2025-22461
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.