- 146/2025
- High
Ivanti has released security updates to fix several vulnerabilities across multiple Ivanti products.
The addressed vulnerabilities could allow the attacker to trigger denial of service attacks, perform server-side request forgery attacks, conduct carriage return line feed injection attacks, obtain sensitive information, or execute arbitrary code and gain access to the affected system.
Sample of the addressed vulnerabilities:
1. Ivanti Endpoint Manager Improper Encryption Implementation Vulnerability(CVE-2025-6995):
- CVSS: 8.4
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Obtain Information
2. Ivanti Endpoint Manager Mobile (EPMM) OS Command Injection Vulnerability (CVE-2025-6770):
- CVSS: 7.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Gain Access
Affected Products:
- Ivanti Connect Secure.
- Ivanti Policy Secure.
- Ivanti Endpoint Manager Mobile.
- Ivanti Endpoint Manager.
Vulnerabilities
- CVE-2025-5450
- CVE-2025-5451
- CVE-2025-5463
- CVE-2025-5464
- CVE-2025-0292
- CVE-2025-0293
- CVE-2025-6770
- CVE-2025-6771
- CVE-2025-6995
- CVE-2025-6996
- CVE-2025-7037
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.