CVE-2025-10918 is a vulnerability classified under CWE-276 (Incorrect Default Permissions) affecting the agent component of Ivanti Endpoint Manager versions before 2024 SU4. The vulnerability arises because the agent is deployed with insecure default file system permissions, allowing any local authenticated user with low privileges to write arbitrary files anywhere on the disk. This can lead to unauthorized modification or replacement of critical system or application files, potentially enabling privilege escalation, persistence, or disruption of services. The attack vector is local (AV:L), requiring low attack complexity (AC:L) and low privileges (PR:L), but no user interaction (UI:N). The scope is unchanged (S:U), and the impact affects integrity and availability (I:H, A:H), but not confidentiality (C:N). Although no public exploits have been reported yet, the vulnerability poses a significant risk in environments where endpoint agents are installed on multiple workstations or servers, especially in enterprise settings. The flaw is particularly concerning because endpoint management agents typically run with elevated privileges and have broad system access, amplifying the potential damage from arbitrary file writes. The vulnerability was reserved on 2025-09-24 and published on 2025-11-11, with no patch links currently available, indicating that remediation may still be pending or in progress. Organizations should monitor Ivanti advisories closely and prepare to deploy updates once available.

For European organizations, this vulnerability presents a substantial risk to the integrity and availability of managed endpoints. Attackers with local access—such as disgruntled employees, contractors, or malware that gains limited user privileges—could exploit this flaw to overwrite critical files, inject malicious code, or disrupt endpoint management functionality. This could lead to widespread operational disruptions, data loss, or facilitate further lateral movement and privilege escalation within corporate networks. Sectors with stringent regulatory requirements, such as finance, healthcare, and critical infrastructure, could face compliance violations and reputational damage if exploited. The vulnerability's local access requirement somewhat limits remote exploitation but does not eliminate risk in environments where endpoint agents are deployed on shared or multi-user systems. Additionally, the lack of user interaction needed for exploitation increases the likelihood of automated or stealthy attacks once local access is obtained. The absence of known exploits in the wild currently reduces immediate threat but does not preclude future attacks, especially as threat actors often reverse-engineer disclosed vulnerabilities.

European organizations should implement the following specific mitigations: 1) Immediately audit and restrict file system permissions related to the Ivanti Endpoint Manager agent to ensure they follow the principle of least privilege, preventing unauthorized write access. 2) Limit local user accounts that have access to systems running the vulnerable agent, enforcing strict access controls and monitoring for unusual local activity. 3) Employ application whitelisting and integrity monitoring tools to detect unauthorized file modifications on endpoints. 4) Segment networks to reduce the risk of lateral movement from compromised local accounts. 5) Maintain up-to-date endpoint detection and response (EDR) solutions to identify suspicious behaviors related to file writes and privilege escalation attempts. 6) Monitor Ivanti’s official channels for patches or updates addressing this vulnerability and prioritize timely deployment once available. 7) Conduct user training and awareness to reduce the risk of credential compromise that could lead to local access. 8) Consider temporary compensating controls such as disabling or limiting the agent’s functionality on non-critical systems until a patch is applied.