CVE-2025-22458 Overview
CVE-2025-22458 is a DLL hijacking vulnerability in Ivanti Endpoint Manager that allows an authenticated attacker to escalate privileges to System level. This vulnerability affects Ivanti Endpoint Manager versions prior to 2024 SU1 and versions prior to 2022 SU7, making it a significant security concern for organizations relying on this endpoint management solution.
DLL hijacking vulnerabilities occur when an application loads a dynamic-link library from an insecure location, allowing attackers to place malicious DLLs in locations where they will be loaded instead of or before legitimate system libraries. In this case, successful exploitation grants the attacker complete control over the affected system with the highest available privileges.
Critical Impact
Authenticated attackers can leverage this DLL hijacking vulnerability to escalate privileges to System level, potentially gaining complete control over the affected endpoint and its data.
Affected Products
- Ivanti Endpoint Manager 2024 (versions prior to SU1)
- Ivanti Endpoint Manager 2022 (versions prior to SU7)
- Ivanti Endpoint Manager 2022 SU1 through SU6
Discovery Timeline
- 2025-04-08 - CVE-2025-22458 published to NVD
- 2025-05-17 - Last updated in NVD database
Technical Details for CVE-2025-22458
Vulnerability Analysis
This vulnerability is classified under CWE-427 (Uncontrolled Search Path Element), which describes a condition where an application searches for critical resources using an externally-controlled search path that could point to resources outside the intended scope. In the context of Ivanti Endpoint Manager, the application fails to properly validate or control the DLL search path, enabling attackers to inject malicious libraries.
The local attack vector requires the attacker to already have authenticated access to the target system. However, once authenticated, the exploitation complexity is low and requires no user interaction. Successful exploitation results in complete compromise of confidentiality, integrity, and availability on the affected system.
Root Cause
The root cause of CVE-2025-22458 lies in improper DLL search path handling within Ivanti Endpoint Manager. When the application attempts to load certain dynamic-link libraries, it does not properly restrict the directories from which these libraries can be loaded. This allows an attacker to place a malicious DLL in a directory that appears earlier in the search path than the legitimate library location.
Windows systems follow a specific DLL search order when loading libraries. If an application does not specify an absolute path for a required DLL, the system searches various directories in a predefined order. Attackers can exploit this by placing their malicious DLL in a directory that gets searched before the legitimate DLL's location.
Attack Vector
The attack requires local access to the system with authenticated user credentials. An attacker would typically:
- Identify directories in the DLL search path that are writable by the authenticated user
- Create a malicious DLL with the same name as a legitimately required library
- Place the malicious DLL in a directory that will be searched before the legitimate DLL location
- Trigger the vulnerable application to load the DLL, executing the malicious code with System privileges
The vulnerability exploitation does not require any user interaction beyond the attacker's own authenticated access. Once the malicious DLL is loaded by a privileged process within Ivanti Endpoint Manager, the attacker's code executes with System-level privileges, bypassing normal privilege restrictions.
For detailed technical information regarding this vulnerability, refer to the Ivanti Security Advisory and the Full Disclosure posting.
Detection Methods for CVE-2025-22458
Indicators of Compromise
- Unexpected DLL files appearing in directories within the Ivanti Endpoint Manager installation path or system directories
- DLL files with unusual timestamps or digital signatures that do not match Ivanti's official signing certificate
- Evidence of DLL loading from non-standard directories in process monitoring logs
- New or modified DLL files in user-writable directories that are in the application's search path
Detection Strategies
- Enable DLL load monitoring using Windows Event Tracing for Windows (ETW) to track library loading behavior
- Implement file integrity monitoring (FIM) on Ivanti Endpoint Manager installation directories and related system paths
- Configure endpoint detection and response (EDR) solutions to alert on DLL side-loading attempts targeting endpoint management software
- Monitor for processes spawning with unexpected parent-child relationships involving Ivanti EPM components
Monitoring Recommendations
- Deploy SentinelOne's behavioral AI engine to detect anomalous DLL loading patterns and privilege escalation attempts
- Configure alerts for new DLL files created in directories associated with Ivanti Endpoint Manager
- Monitor Windows Security Event Logs for privilege escalation events (Event ID 4672, 4673) associated with Ivanti EPM processes
- Implement continuous vulnerability scanning to identify unpatched Ivanti Endpoint Manager installations
How to Mitigate CVE-2025-22458
Immediate Actions Required
- Upgrade Ivanti Endpoint Manager 2024 to version SU1 or later immediately
- Upgrade Ivanti Endpoint Manager 2022 to version SU7 or later if using the 2022 release
- Audit user permissions on directories within the Ivanti Endpoint Manager installation path and restrict write access
- Review authenticated user accounts for any unauthorized access or suspicious activity
Patch Information
Ivanti has released security updates to address this vulnerability. Organizations should apply the following patches based on their deployment:
- Ivanti Endpoint Manager 2024: Update to Service Update 1 (SU1) or later
- Ivanti Endpoint Manager 2022: Update to Service Update 7 (SU7) or later
Detailed patch information and download links are available in the Ivanti Security Advisory for EPM April 2025.
Workarounds
- Restrict write permissions on all directories in the Ivanti Endpoint Manager application path to administrators only
- Implement application whitelisting to prevent unauthorized DLLs from loading in the Ivanti EPM context
- Enable Windows Defender Application Control (WDAC) or AppLocker policies to restrict DLL loading to approved locations
- Limit authenticated user access to endpoint management systems to only required personnel until patching is complete
# Example: Restrict write permissions on Ivanti EPM directory
icacls "C:\Program Files\LANDesk\ManagementSuite" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
