SB2025101499 - Two vulnerabilities in Ivanti Endpoint Manager (EPM)

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2025-9713)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can trick the victim into performing certain actions and execute arbitrary code on the system.

2) Deserialization of Untrusted Data (CVE-ID: CVE-2025-11622)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insecure input validation when processing serialized data. A local user can pass specially crafted data to the application and execute arbitrary code on the target system.

Remediation

Install update from vendor's website.

References

• https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-October-2025?language=en_US&_gl=1*8qa97e*_gcl_au*MjAyOTA3ODYxOC4xNzYwNDc1MTQy
• https://forums.ivanti.com/s/article/Security-Advisory-EPM-November-2025-for-EPM-2024