A high-severity vulnerability has been discovered in Ivanti Endpoint Manager, identified as CVE-2025-11622. This flaw allows a user who is already authenticated to a system to exploit an insecure data handling process to gain full administrative control. Successful exploitation could lead to data theft, system takeover, and further attacks across the network.

This vulnerability is an insecure deserialization flaw. The Ivanti Endpoint Manager application improperly validates serialized data from a local source. An authenticated attacker with low-level privileges can craft a malicious object and pass it to the application. When the application deserializes this object, it can trigger arbitrary code execution with the elevated permissions of the Endpoint Manager service, typically running as SYSTEM, leading to a full privilege escalation.

This vulnerability is rated as High severity with a CVSS score of 7.8. A successful exploit would allow an attacker to escalate local privileges to the highest level (SYSTEM/root) on an affected endpoint. This could lead to a complete compromise of the system's confidentiality, integrity, and availability. Potential consequences include the deployment of ransomware, theft of sensitive data, installation of persistent backdoors, and using the compromised machine as a pivot point to launch further attacks against the internal network.

Immediate Action: Apply vendor security updates to all affected Ivanti Endpoint Manager instances immediately. Prioritize patching on critical systems, servers, and endpoints accessible by a broad user base. After patching, review system and application logs for any unusual activity or access patterns that occurred prior to the update.

Proactive Monitoring: Monitor for signs of exploitation by looking for anomalous process creation originating from the Ivanti Endpoint Manager service (e.g., cmd.exe, powershell.exe). Review application event logs for deserialization errors or warnings. Utilize an Endpoint Detection and Response (EDR) solution to detect and alert on common privilege escalation techniques.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Enforce the principle of least privilege by restricting local login access on critical systems to only essential, trusted administrators.
• Use application control solutions (e.g., AppLocker) to prevent the Ivanti service from executing unauthorized applications or scripts.
• Ensure Host-Based Intrusion Prevention Systems (HIPS) are configured to block suspicious process behavior associated with privilege escalation.

Public Exploit Available: false

This high-severity vulnerability presents a significant risk of system compromise and requires immediate attention. The primary recommendation is to apply the vendor-provided security updates across all affected systems without delay. Although CVE-2025-11622 is not currently listed on the CISA KEV catalog, the potential for local privilege escalation makes it a critical vulnerability to remediate. Organizations should prioritize patching and implement the recommended monitoring controls to reduce their attack surface and detect potential exploitation attempts.