Ivanti has issued a critical security advisory for its Endpoint Manager (EPM) product, urging users to patch immediately.
The update addresses three high-severity vulnerabilities that could enable local authenticated attackers to write arbitrary files anywhere on affected systems.
Disclosed on November 10, 2025, the flaws highlight ongoing risks in endpoint management software, where insecure configurations could lead to unauthorized data manipulation or escalation of privileges.
These issues come at a time when endpoint security remains a prime target for threat actors, especially in enterprise environments managing vast device fleets.
Ivanti emphasizes that no exploitation has been observed in the wild, thanks to its responsible disclosure program.
However, the potential for abuse underscores the need for swift remediation, particularly as older product branches reach end-of-life.
Vulnerability Breakdown and Potential Risks
The primary new vulnerability, CVE-2025-10918, stems from insecure default permissions in the EPM agent before version 2024 SU4.
Rated at CVSS 7.1 (High), it allows a local authenticated user to overwrite files across the disk (CVSS vector: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A: H; CWE-276).
This could facilitate privilege escalation, malware persistence, or data tampering without requiring initial elevated access.
Complementing this are two previously patched flaws from October 2025: CVE-2025-9713 and CVE-2025-11622. Both involve similar file-write capabilities, potentially chaining with other exploits to compromise entire networks.
Affected versions include EPM 2024 SU3 SR1 and earlier. Notably, the 2022 branch, which reached end of life in late October 2025, receives no further patches users must upgrade to 2024 SU4 to mitigate risks.
The impact is severe for organizations that rely on EPM for unified endpoint management, IT services, and security.
Attackers could exploit these to deploy ransomware, steal sensitive data, or pivot laterally.
At the same time, local authentication limits remote threats, insider risks, or prior compromises amplify the danger.
Ivanti credits security researcher Enrique Fernández Lorenzo (aka bighound) for discovering CVE-2025-10918 and aligns with its vulnerability disclosure policy.
Patching Guidance and Best Practices
Ivanti recommends downloading EPM 2024 SU4 from the Ivanti License System (ILS) portal, accessible via login. For support, users can log cases through the Success Portal.
Since no indicators of compromise (IoCs) are available yet, proactive scanning for vulnerable versions is advised. Organizations on EOL branches face heightened exposure and should prioritize migration.
To detect potential issues, review agent logs for unauthorized file modifications. Ivanti assures there are no active exploits pre-disclosed, but vigilance is key.
As endpoint tools evolve, regular updates and least-privilege principles remain essential defenses against such configuration flaws.
In summary, these bugs expose a critical weakness in file handling, but timely patching neutralizes the threat.
Ivanti’s rapid response reinforces the value of collaborative security research in safeguarding digital infrastructures.
 product, urging users to patch immediately.){kind=link}