- 102/2025
- Critical
Ivanti has released security updates to fix multiple vulnerabilities across several Ivanti products.
The addressed vulnerabilities could allow the attacker to escalate elevated privileges, access protected resources without proper credentials via the API, execute arbitrary code via crafted API requests, and gain access to the affected systems.
Sample of the addressed vulnerabilities:
1. Ivanti Neurons for ITSM (on-premises only) Gain Access Vulnerability (CVE- 2025-22462):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. Ivanti Cloud Services Application Privilege Escalation Vulnerability (CVE- 2025-22460):
- CVSS: 7.8
- Attack Vector: Local Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Privilege Escalation
The affected products:
- Ivanti Endpoint Manager Mobile 11.12.0.4 and prior.
- Ivanti Neurons for ITSM (on-prem only) versions 2023.4, 2024.2, and 2024.3.
- Ivanti Cloud Services Application 5.0.4 and prior.
It should be highlighted that Ivanti is aware that vulnerabilities “CVE-2025-4427” and “CVE-2025-4428” in Ivanti Endpoint Manager Mobile (EPMM) software are being exploited in the wild.
Vulnerabilities
- CVE-2025-4427
- CVE-2025-4428
- CVE-2025-22460
- CVE-2025-22462
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.