Ivanti Endpoint Manager: Zero Day Initiative publishes 13 zero days

Ivanti's Endpoint Manager (EPM) contained serious security vulnerabilities that the company has known about for months – and yet did not want to fix for another six months. This was too long for Trend Micro's Zero Day Initiative (ZDI) – which is now publishing the vulnerabilities as “Zero Days.” The error catalog contains eleven SQL injections, one path vulnerability, and one deserialization of untrusted data.

Ivanti has no time, ZDI reacts

It is remarkable how the publication by the ZDI came about. The zero-day initiative is usually known for working with manufacturers and not putting them under pressure with zero-day publications. In the current case, however, ZDI has clearly simply lost patience with Ivanti.

They had already learned about the security vulnerabilities in May and June of this year. ZDI usually reports these to the manufacturers first, together with detailed instructions (proof of concept). Ivanti, on the other hand, obviously did little initially to rectify the problems. In some cases, they notified ZDI of their intention to release updates in September but then withdrew them a few days later. In other cases, the company initially did not respond at all.

At the end of July, Ivanti then asked ZDI to extend the deadline for fixing the thirteen vulnerabilities. And not by a few days or weeks – no, they would rather not remedy the situation until March 2026. Considering the impact of the bugs, this is an incomprehensible decision. Although all of them can only be exploited by registered users, as part of an exploit chain, they have high-risk potential.

At the end of September, ZDI then decided to publish all vulnerabilities as “zero days” and followed up this decision with action. Anyone using Ivanti Endpoint Manager should therefore bevigilant.: Although the terse security messages on the ZDI site do not contain any details, exploit writers worldwide should now at least know exactly where to look. Whether Ivanti will address the bug in the short term, for example, in the monthly security update expected in the next few days, is still unclear.

The vulnerabilities in detail:

• ZDI-CAN-26834: OnSaveToDB Directory Traversal Remote Code Execution Vulnerability, CVSS 8.8 (risk “high”)
• ZDI-CAN-25369: AgentPortal Deserialization of Untrusted Data Local Privilege Escalation Vulnerability, CVSS 7.8(high),
• ZDI-CAN-26859: Report_RunPatch SQL Injection Remote Code Execution Vulnerability, CVSS 7.2(high),
• ZDI-CAN-26857: MP_Report_Run2 SQL Injection Remote Code Execution Vulnerability, CVSS 7.2(high),
• ZDI-CAN-26866: DBDR SQL Injection Remote Code Execution Vulnerability, CVSS 7.2(high),
• ZDI-CAN-26865: PatchHistory SQL Injection Remote Code Execution Vulnerability, CVSS 7.2(high),
• ZDI-CAN-26864: MP_QueryDetail2 SQL Injection Remote Code Execution Vulnerability, CVSS 7.2(high),
• ZDI-CAN-26862: GetCountForQuery SQL Injection Remote Code Execution Vulnerability, CVSS 7.2(high),
• ZDI-CAN-26861: MP_QueryDetail SQL Injection Remote Code Execution Vulnerability, CVSS 7.2(high),
• ZDI-CAN-26860: MP_VistaReport SQL Injection Remote Code Execution Vulnerability, CVSS 7.2(high),
• ZDI-CAN-26858: Report_RunPatch SQL Injection Remote Code Execution Vulnerability, CVSS 7.2(high),
• ZDI-CAN-26856: Report_Run SQL Injection Remote Code Execution Vulnerability, CVSS 7.2(high) and
• ZDI-CAN-26855: Report_Run2 SQL Injection Remote Code Execution Vulnerability, CVSS 7.2(high).

CVE IDs for the vulnerabilities do not yet exist, so we are listing them by their ZDI-CAN number as an exception.

Ivanti vulnerabilities are among those that criminals include in their exploit kits, as successful attacks on them promise far-reaching access in networks. In May, for example, Ivanti reported active attacks on Ivanti's EPMM.

(cku)