Trend Micro’s Zero Day Initiative (ZDI) this week published 13 advisories describing unpatched vulnerabilities in Ivanti Endpoint Manager.
One of the flaws allows local attackers to elevate their privileges and was reported to Ivanti in November 2024. The remaining 12 lead to remote code execution (RCE) and were reported in June 2025.
While the vulnerabilities are technically not zero-days, ZDI flags all of the unpatched flaws it discloses as ‘0day’. ZDI’s advisories name the vulnerable component and provide a general description of the root cause, but do not contain any other technical details.
No CVE identifier has been issued for these vulnerabilities, but ZDI notes that all of them are high-severity defects. The most severe of them has a CVSS score of 8.8, one has a CVSS score of 7.8, while the remaining 11 have CVSS scores of 7.2.
According to ZDI, the local privilege escalation bug affects the Endpoint Manager’s AgentPortal service. It exists because user-supplied input is not properly validated, resulting in deserialization of untrusted data and code execution with System privileges.
Also rooted in the lack of proper validation of user-supplied data, the RCE weaknesses were found in the product’s Report_RunPatch, MP_Report_Run2, DBDR, PatchHistory, MP_QueryDetail2, MP_QueryDetail, MP_VistaReport, and Report_Run classes, and in the GetCountForQuery and OnSaveToDB methods.
For the first 11 of the RCE vulnerabilities, the improperly validated user-supplied input is used to construct SQL queries and could lead to arbitrary code execution in the context of the service account. Authentication is required to exploit all of them.
For the last RCE issue (CVSS score of 8.8), an improperly validated user-supplied path is used in file operations, leading to code execution in the context of the user. Attackers can exploit the defect if they have admin credentials or if they can convince a user to open a malicious page or file.
ZDI says Ivanti was notified of the first security hole in November 2024 and acknowledged it in January 2025. In July, the vendor notified ZDI that patches would be released in November.
Regarding the RCE flaws, Ivanti initially said it would patch 10 of them in September, but then requested an extension until March 2026 for all 12, ZDI says.
Per its disclosure policy, ZDI allows vendors 120 days to address vulnerabilities reported to them. If by the end of the deadline the vendor is unresponsive or does not provide a reasonable statement on why fixes have not been released, ZDI publishes a limited advisory on the reported security defect.
“Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the product,” ZDI notes for each of the bugs. Additional information can be found on ZDI’s published advisories page.
“We have communicated to ZDI that the issues reported to Ivanti are complicated to fix and require additional time to resolve. We are in the middle of this work now, and we are looking at ways to further increase resources from other initiatives to accelerate this work,” an Ivanti spokesperson told SecurityWeek.
The company’s representative also underlined that the security defects do not pose a significant risk to customers, as they are difficult to exploit.
“An important part of Ivanti’s responsible disclosure is to try to ensure a fix is complete and cannot be circumvented before we disclose a vulnerability that has not been exploited in the wild. Our aim is to always balance speed with quality, with our customers’ security at the core of that decision,” the spokesperson said.
*Updated with statement from Ivanti.
Related: Sophisticated Malware Deployed in Oracle EBS Zero-Day Attacks
Related: CISA Analyzes Malware From Ivanti EPMM Intrusions
Related: Chinese Spies Exploit Ivanti Vulnerabilities Against Critical Sectors
Related: Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability
