Ivanti Flaw Exploited, Posing 'Significant Threat'

An Ivanti flaw in its Endpoint Manager (EPM) has been exploited despite being identified and patched in May.

The Cybersecurity and Infrastructure Security Agency (CISA) also has added the Ivanti flaw to its Known Exploited Vulnerabilities Catalog. It adds to the catalog when there is clear action for affected organizations to take.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” the Agency said.

Ivanti sent us the following statement:

“Ivanti has updated a security advisory related to an Ivanti EPM vulnerability that Ivanti previously identified and patched on [May 21]. At the time of disclosure, there was no indication that any customers had been exploited as a result of this vulnerability, however, we have now confirmed limited exploitation. We strongly urge customers to ensure they are on the latest version, which is available through our standard download portal. The security and protection of our customers remain our top priority, and we are committed to supporting them.”

According to Bleeping Computer, multiple Ivanti vulnerabilities have been exploited as zero-day flaws in widespread attacks in recent months. These attacks targeted Ivanti’s VPN appliances, and ICS, IPS and ZTA gateways.

Exploiting Ivanti Flaw Could Have ‘Serious’ Consequences

Eric Schwake, director of cybersecurity strategy at Salt Security, said the Ivanti EPM vulnerability is currently being actively exploited and poses a significant threat that requires immediate attention.

“This is because it allows unauthenticated attackers to execute arbitrary code on unpatched systems, potentially giving them extensive control over affected devices and access to sensitive data,” he said. “Many organizations could be vulnerable due to the widespread use of Ivanti EPM, especially in enterprise environments.”

Salt Security's Eric Schwake

Exploiting this flaw could have serious consequences, such as data breaches, disruption of business operations and further compromise of internal systems, Schwake said.

“Organizations using Ivanti EPM should prioritize patching their systems immediately and conduct thorough security assessments to detect and mitigate potential compromise,” he said. “This situation emphasizes the critical importance of proactive vulnerability management and timely patching to protect against evolving threats. In an increasingly interconnected world, securing every IT asset, such as endpoints, applications and APIs, is paramount to maintaining a strong security posture."

Jason Soroko, senior fellow at Sectigo, said the vulnerability in Ivanti EPM allows remote code execution via SQL injection, posing serious risk in enterprise environments.

Sectigo's Jason Soroko

“Attackers on the same network can fully compromise unpatched EPM systems, leading to broader control,” he said. “Although Ivanti patched this in May, a proof-of-concept exploit is public, and active exploitation is confirmed. Organizations must patch immediately, as failure to do so leaves systems vulnerable to arbitrary command execution and networkwide compromise. The risk is heightened by published attack methods and ongoing exploitation.”