CVE-2025-10918 is a vulnerability identified in the Ivanti Endpoint Manager agent component, affecting versions prior to 2024 SU4. The root cause is incorrect default permissions (CWE-276) configured on the agent, which allow local authenticated users to write arbitrary files anywhere on the disk. This misconfiguration can be exploited by an attacker with low-level local privileges to overwrite or create files that could lead to privilege escalation, persistence, or disruption of system operations. The vulnerability does not require user interaction and has a CVSS 3.1 base score of 7.1, indicating high severity. The attack vector is local (AV:L), with low attack complexity (AC:L) and low privileges required (PR:L). The scope is unchanged (S:U), meaning the impact is limited to the vulnerable component's privileges. The impact affects integrity (I:H) and availability (A:H) but not confidentiality (C:N). Although no public exploits are known, the vulnerability poses a significant risk due to the potential for arbitrary file writes, which can be leveraged for malicious payload deployment or system compromise. Ivanti Endpoint Manager is widely used for endpoint management and security in enterprise environments, making this vulnerability particularly concerning for organizations relying on it for device control and patch management. The vulnerability was reserved on 2025-09-24 and published on 2025-11-11, with no patch links currently available, indicating that remediation may be pending or in progress.

For European organizations, the vulnerability presents a high risk to endpoint security and overall IT infrastructure integrity. Successful exploitation could allow attackers to implant malicious files, modify critical configurations, or disrupt endpoint management operations, potentially leading to broader network compromise or service outages. Organizations in sectors such as finance, healthcare, energy, and government, which heavily rely on endpoint management solutions for regulatory compliance and operational continuity, could face severe operational disruptions and reputational damage. The local attack vector means that insider threats or attackers who gain initial foothold on a device could escalate privileges or maintain persistence more easily. The lack of confidentiality impact reduces the risk of data leakage directly from this vulnerability, but the integrity and availability impacts could indirectly lead to data loss or exposure through subsequent attacks. Given the widespread use of Ivanti Endpoint Manager in European enterprises, the vulnerability could affect a large number of endpoints if not promptly addressed.

1. Immediately inventory all Ivanti Endpoint Manager deployments and identify versions prior to 2024 SU4. 2. Apply vendor patches or updates as soon as they become available; monitor Ivanti advisories closely. 3. In the absence of patches, manually audit and correct file and directory permissions for the agent to restrict write access to authorized system accounts only. 4. Limit local user privileges on managed endpoints to prevent unauthorized file writes. 5. Implement endpoint detection and response (EDR) solutions to monitor for unusual file creation or modification activities. 6. Enforce strict access controls and use application whitelisting to prevent execution of unauthorized binaries. 7. Conduct regular security awareness training to reduce risk of local compromise. 8. Review and tighten local authentication policies and consider multi-factor authentication for local access where feasible. 9. Maintain robust backup and recovery procedures to mitigate impact of potential file tampering. 10. Monitor logs and alerts for signs of exploitation attempts or anomalous behavior related to the Ivanti agent.