CVE-2025-13661 is a path traversal vulnerability classified under CWE-22 affecting Ivanti Endpoint Manager versions prior to 2024 SU4 SR1. The flaw allows a remote attacker with low-level privileges and requiring user interaction to write arbitrary files outside the intended directory structure. This occurs due to improper limitation of pathname inputs, enabling directory traversal sequences to escape restricted directories. The vulnerability is remotely exploitable over the network but requires authentication and user interaction, which somewhat limits exploitation ease. Successful exploitation can lead to arbitrary file write, enabling attackers to modify or replace critical files, potentially leading to privilege escalation, code execution, or system compromise. The CVSS v3.1 base score is 7.1 (high), reflecting high impact on confidentiality, integrity, and availability, with attack vector network, attack complexity high, privileges required low, and user interaction required. No public exploits or active exploitation have been reported yet. The vulnerability affects organizations using Ivanti Endpoint Manager for endpoint management, which is widely deployed in enterprise environments for patch management, software distribution, and security compliance. The flaw poses a significant risk to the security posture of affected systems if left unpatched.

The impact of CVE-2025-13661 is substantial for organizations using Ivanti Endpoint Manager. Arbitrary file write outside intended directories can lead to unauthorized modification or replacement of critical system or application files, resulting in privilege escalation, remote code execution, or persistent backdoors. This compromises confidentiality by exposing sensitive data, integrity by allowing tampering with files, and availability by potentially disrupting endpoint management services. Since Ivanti Endpoint Manager is often used to manage large fleets of endpoints, exploitation could facilitate widespread compromise within an enterprise. The requirement for authentication and user interaction reduces the likelihood of mass automated exploitation but does not eliminate targeted attacks. Organizations in sectors with high endpoint management reliance, such as finance, healthcare, government, and critical infrastructure, face elevated risks. The absence of known exploits in the wild suggests a window for proactive mitigation before active attacks emerge.

Organizations should prioritize upgrading Ivanti Endpoint Manager to version 2024 SU4 SR1 or later, where this vulnerability is fixed. Until patching is possible, restrict user permissions to the minimum necessary to reduce the risk of exploitation. Implement strict input validation and monitoring on file write operations related to Ivanti Endpoint Manager directories. Employ application whitelisting and endpoint detection and response (EDR) solutions to detect anomalous file modifications. Educate users about the risk of interacting with suspicious prompts or links that could trigger exploitation. Network segmentation can limit exposure of the management interface to trusted users only. Regularly audit logs for unusual file write activities or privilege escalations. Coordinate with Ivanti support for any available workarounds or temporary mitigations. Maintain up-to-date backups to recover from potential compromise.