High

RCE in Ivanti Endpoint Manager Patch Management Signature Verification

IdentifiersCVE-2025-13662CWE-347· Improper Verification of…

CVE-2025-13662 is a high-severity vulnerability in the patch management component of Ivanti Endpoint Manager (EPM) affecting versions prior to 2024 SU4 SR1. The flaw is caused by improper verification of cryptographic signatures, allowing untrusted content to be accepted as if it were validly signed. According to the provided content, a remote unauthenticated attacker can leverage this weakness to achieve arbitrary code execution. The issue is specifically associated with EPM patch management workflows and, based on the available reporting, exploitation requires user interaction, including scenarios involving import of untrusted configuration files.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in arbitrary code execution in the Ivanti EPM environment. Because EPM is an enterprise endpoint management platform with broad administrative reach, compromise could enable an attacker to execute malicious code in a highly privileged management context, potentially facilitating downstream actions such as deployment of malicious software, modification of managed systems, persistence, and broader enterprise compromise. The provided content states that no active exploitation was known at disclosure time.

Mitigation

If you can’t patch tonight, do this now.

Primary mitigation is prompt patching. Until updates are applied, reduce exposure by preventing EPM from being internet-facing, restricting access to EPM management interfaces, and implementing strict network segmentation around the EPM server. Because exploitation requires user interaction and is associated with untrusted inputs, administrators should avoid importing untrusted configuration files or connecting to untrusted core servers, and only process patch-management content from trusted sources. Monitor EPM administrative activity and patch-management workflows for anomalous behavior.

Remediation

Patch, then assume compromise.

Upgrade Ivanti Endpoint Manager to version 2024 SU4 SR1 or later, as Ivanti released 2024 SU4 SR1 to remediate CVE-2025-13662. Organizations running earlier supported EPM releases should apply the vendor-supplied update immediately. If an environment is on an unsupported branch, such as EPM 2022 as referenced in the content, migration to a supported version is necessary because unsupported versions will not receive security fixes.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

IvantiEndpoint Managerapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app

cso onlineNews

Dec 10, 2025

Hundreds of Ivanti EPM systems exposed online as critical flaw patched

A high-severity vulnerability in Ivanti Endpoint Manager that allows attackers to execute arbitrary code when users connect to an untrusted core server or import untrusted configuration files.

the hacker newsNews

Dec 10, 2025

Fortinet, Ivanti, and SAP Issue Urgent Patches for Authentication and Code Execution Flaws

A high-severity vulnerability in Ivanti Endpoint Manager's patch management component due to improper verification of cryptographic signatures, allowing remote code execution.

the hacker newsNews

Dec 10, 2025

Fortinet, Ivanti, and SAP Issue Urgent Patches for Authentication and Code Execution Flaws

Improper verification of cryptographic signatures in Ivanti Endpoint Manager patch management component allows remote unauthenticated attackers to achieve arbitrary code execution.

cyber security newsNews

Dec 9, 2025

Ivanti Security Update: Patch for Code Execution Vulnerabilities in Endpoint Manager

A high-severity vulnerability in Ivanti Endpoint Manager due to improper verification of cryptographic signatures in patch management, allowing arbitrary code execution if untrusted configuration files are imported.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity6

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-13662

NVD

nvd.nist.gov/vuln/detail/CVE-2025-13662

MITRE CWE · CWE-347

Improper Verification of Cryptographic Signature

Vendor Advisory

forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024