Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-13662

CVE-2025-13662: Ivanti Endpoint Manager RCE Vulnerability

CVE-2025-13662 is a remote code execution vulnerability in Ivanti Endpoint Manager caused by improper cryptographic signature verification. This flaw allows unauthenticated attackers to execute arbitrary code with user interaction.

Published:

CVE-2025-13662 Overview

CVE-2025-13662 affects the patch management component of Ivanti Endpoint Manager (EPM) prior to version 2024 SU4 SR1. The flaw stems from improper verification of cryptographic signatures [CWE-347]. A remote unauthenticated attacker can leverage this weakness to execute arbitrary code on the affected system. Exploitation requires user interaction, which constrains automated mass exploitation but remains viable through targeted social engineering. Ivanti published a fix in the December 2025 security advisory for EPM 2024.

Critical Impact

Successful exploitation enables arbitrary code execution by bypassing signature checks in the patch management workflow, undermining the integrity guarantees of the patching channel itself.

Affected Products

  • Ivanti Endpoint Manager 2024 (base release)
  • Ivanti Endpoint Manager 2024 SU1, SU2, SU3, SU3 Security Release 1
  • Ivanti Endpoint Manager 2024 SU4 (fixed in 2024 SU4 SR1)

Discovery Timeline

  • 2025-12-09 - CVE-2025-13662 published to the National Vulnerability Database (NVD)
  • 2025-12-11 - Last updated in NVD database

Technical Details for CVE-2025-13662

Vulnerability Analysis

The vulnerability resides in the patch management component of Ivanti Endpoint Manager. This component is responsible for distributing and applying software patches across managed endpoints. Ivanti's advisory classifies the issue as improper verification of cryptographic signatures, mapped to [CWE-347].

When a signed artifact is processed by the patch management workflow, the component fails to correctly validate the cryptographic signature. An attacker who can supply a crafted artifact to the workflow can therefore present unsigned or tampered content that the component accepts as trusted. Because patch management routinely runs with elevated privileges to install software, the accepted content executes with those privileges.

The attack vector is local (AV:L) and requires user interaction (UI:R). The integrity, confidentiality, and availability impacts are all rated high, reflecting arbitrary code execution. Ivanti reports no public exploitation at time of disclosure, and the issue is not listed on the CISA Known Exploited Vulnerabilities catalog.

Root Cause

The root cause is a defect in the signature verification logic of the patch management component. Either the verification step is skipped under specific conditions, or the result of the verification is not authoritatively used to gate subsequent execution. This logic flaw allows untrusted artifacts to be processed as if they were signed by Ivanti.

Attack Vector

An attacker positions a malicious patch artifact in a location the EPM patch workflow consumes, then induces an administrator or user to trigger the workflow. Because signature validation is improper, the malicious artifact is treated as legitimate, and its embedded code executes in the context of the patch management process. See the Ivanti Security Advisory December 2025 for vendor-supplied details.

No verified public proof-of-concept code is available for CVE-2025-13662.
Refer to the Ivanti advisory for authoritative technical details.

Detection Methods for CVE-2025-13662

Indicators of Compromise

  • Unexpected child processes spawned by Ivanti EPM patch management services on the core server or managed endpoints.
  • Patch artifacts in EPM staging or distribution directories whose publisher does not match Ivanti's signing certificate.
  • Modifications to EPM patch metadata or definition files outside of scheduled update windows.

Detection Strategies

  • Inventory EPM deployments and flag any instance running a version below 2024 SU4 SR1.
  • Monitor EPM service processes for execution of unsigned binaries, scripts, or DLLs loaded from patch staging paths.
  • Correlate user-initiated patch deployment actions in EPM audit logs with subsequent process and file activity on targeted endpoints.

Monitoring Recommendations

  • Forward EPM core server logs and Windows Sysmon process-creation events to a centralized analytics platform for retention and correlation.
  • Alert on signature validation failures, certificate chain errors, or signature bypass warnings emitted by EPM components.
  • Track outbound connections from EPM services to non-Ivanti destinations during patch operations.

How to Mitigate CVE-2025-13662

Immediate Actions Required

  • Upgrade Ivanti Endpoint Manager 2024 to version 2024 SU4 SR1 or later as published in the December 2025 security advisory.
  • Restrict access to the EPM core server and patch repositories to authorized administrators only.
  • Audit recently deployed patches and verify their integrity against Ivanti's published hashes and signing certificate.

Patch Information

Ivanti released the fix in Endpoint Manager 2024 SU4 SR1. Customers running 2024 base, SU1, SU2, SU3, SU3 SR1, or SU4 must update. Full patch details are documented in the Ivanti Security Advisory December 2025.

Workarounds

  • Limit which administrators can initiate patch deployment workflows until the upgrade is applied.
  • Place the EPM core server behind network segmentation that restricts inbound access to administrative subnets.
  • Disable or pause non-essential patch operations until version 2024 SU4 SR1 is installed and validated.
bash
# Verify installed EPM version on the core server (PowerShell)
Get-ItemProperty 'HKLM:\SOFTWARE\LANDesk\ManagementSuite\Setup' |
    Select-Object ProductVersion, ServiceUpdate

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne