CVE-2025-6996 Overview
CVE-2025-6996 is a cryptographic vulnerability in the Ivanti Endpoint Manager (EPM) agent that allows local authenticated attackers to decrypt other users' passwords. The flaw stems from improper use of encryption within the EPM agent component, enabling privilege escalation through credential theft.
This vulnerability is classified as CWE-257 (Storing Passwords in a Recoverable Format), which indicates that the encryption implementation allows passwords to be recovered by unauthorized parties who have local access to the system.
Critical Impact
Local authenticated attackers can decrypt and recover passwords belonging to other users, potentially leading to lateral movement, privilege escalation, and unauthorized access to sensitive enterprise resources managed through Ivanti EPM.
Affected Products
- Ivanti Endpoint Manager 2024 (prior to SU3)
- Ivanti Endpoint Manager 2022 (prior to SU8 Security Update 1)
- Ivanti Endpoint Manager 2024 SU1 and SU2
Discovery Timeline
- July 8, 2025 - CVE-2025-6996 published to NVD
- July 11, 2025 - Last updated in NVD database
Technical Details for CVE-2025-6996
Vulnerability Analysis
The vulnerability exists within the Ivanti Endpoint Manager agent component, which is installed on managed endpoints throughout an enterprise environment. The core issue lies in how the agent handles password encryption—specifically, the encryption implementation allows passwords to be stored in a recoverable format.
When the EPM agent stores user credentials, it uses an encryption mechanism that can be reversed by any local authenticated user on the system. This means that an attacker with low-privilege access to a managed endpoint can potentially extract and decrypt passwords belonging to other users, including those with administrative privileges.
The scope of this vulnerability extends beyond the vulnerable component itself, as compromised credentials can be used to access other systems and resources within the enterprise environment.
Root Cause
The root cause of CVE-2025-6996 is the improper implementation of encryption for password storage within the Ivanti EPM agent. Rather than using proper one-way hashing or implementing encryption with appropriate key management and access controls, the agent stores passwords in a format that can be decrypted by local users.
This typically occurs when:
- Symmetric encryption keys are stored alongside encrypted data or in predictable locations
- Encryption keys are derived from static or easily obtainable values
- The encryption algorithm or mode of operation is not appropriate for credential protection
- Access controls on encrypted credential stores are insufficient
Attack Vector
The attack requires local access to a system running the vulnerable Ivanti EPM agent. An attacker would need to:
- Gain authenticated access to a managed endpoint (even with low privileges)
- Locate the stored encrypted passwords within the EPM agent's data stores
- Extract the encryption key or exploit the weak encryption implementation
- Decrypt passwords belonging to other users on the system or within the EPM infrastructure
The vulnerability requires local access and low-privilege authentication but does not require user interaction, making it exploitable whenever an attacker establishes a foothold on a managed endpoint. The impact extends across security boundaries, as compromised credentials can provide access to resources beyond the initially compromised system.
Detection Methods for CVE-2025-6996
Indicators of Compromise
- Unusual file access patterns targeting EPM agent configuration or credential storage locations
- Unexpected processes reading EPM agent data files from low-privilege user contexts
- Evidence of credential extraction tools or scripts targeting Ivanti EPM components
- Anomalous authentication events using credentials from compromised EPM-managed endpoints
Detection Strategies
- Monitor file system access to Ivanti EPM agent installation directories and data stores
- Implement behavioral detection for processes attempting to read or copy EPM credential files
- Deploy endpoint detection rules to identify known credential extraction techniques targeting EPM
- Correlate authentication events to detect credential reuse across multiple systems following potential compromise
Monitoring Recommendations
- Enable detailed auditing on Ivanti EPM agent installation and configuration directories
- Configure security monitoring for lateral movement patterns originating from EPM-managed endpoints
- Establish baseline behavior for EPM agent processes and alert on deviations
- Monitor for bulk or unusual authentication attempts using credentials associated with EPM-managed systems
How to Mitigate CVE-2025-6996
Immediate Actions Required
- Update Ivanti Endpoint Manager 2024 installations to SU3 or later
- Update Ivanti Endpoint Manager 2022 installations to SU8 Security Update 1 or later
- Audit systems running vulnerable EPM agent versions for signs of compromise
- Rotate passwords for accounts that may have been exposed through vulnerable EPM agents
Patch Information
Ivanti has released security updates to address this vulnerability in both the 2024 and 2022 product lines. Organizations should apply the following patches:
- Ivanti Endpoint Manager 2024: Upgrade to Security Update 3 (SU3) or later
- Ivanti Endpoint Manager 2022: Upgrade to Security Update 8 (SU8) Security Update 1 or later
For detailed patching instructions and download links, refer to the Ivanti Security Advisory for July 2025.
Workarounds
- Restrict local access to systems running the EPM agent to trusted users only
- Implement additional access controls on EPM agent data directories and files
- Enable enhanced monitoring on managed endpoints pending patch deployment
- Consider temporarily isolating critical systems running vulnerable EPM agent versions until patches can be applied
# Restrict access to EPM agent directories (Windows example)
icacls "C:\Program Files\LANDesk\ManagementSuite" /inheritance:d
icacls "C:\Program Files\LANDesk\ManagementSuite" /remove:g "Users"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
