CVE-2025-22458 is a high-severity vulnerability classified under CWE-427 (Uncontrolled Search Path Element) affecting Ivanti Endpoint Manager versions prior to 2024 SU1 and 2022 SU7. The vulnerability arises from DLL hijacking, where the software improperly controls the search path for loading dynamic link libraries (DLLs). An authenticated attacker with limited privileges (low privileges) can exploit this flaw by placing a malicious DLL in a location that the Endpoint Manager will load instead of the legitimate DLL. This hijacking allows the attacker to escalate their privileges to SYSTEM level, the highest privilege on Windows systems. The CVSS v3.1 base score of 7.8 reflects the significant impact on confidentiality, integrity, and availability, with an attack vector requiring local access (AV:L), low attack complexity (AC:L), and low privileges (PR:L), but no user interaction (UI:N). The vulnerability scope is unchanged (S:U), meaning the exploit affects only the vulnerable component. Although no known exploits are currently reported in the wild, the nature of DLL hijacking and the privilege escalation potential make this a critical concern for organizations using Ivanti Endpoint Manager. The absence of patch links suggests that remediation may require updating to the fixed versions 2024 SU1 or 2022 SU7 or later. This vulnerability could be leveraged by attackers who have gained initial access to a system to gain full control, enabling further lateral movement, data exfiltration, or disruption of services.

For European organizations, the impact of CVE-2025-22458 is substantial, especially in sectors relying heavily on Ivanti Endpoint Manager for endpoint security and IT management, such as finance, healthcare, government, and critical infrastructure. Successful exploitation allows attackers to escalate privileges to SYSTEM, potentially leading to full system compromise, unauthorized access to sensitive data, and disruption of endpoint management capabilities. This could result in data breaches, operational downtime, and loss of trust. Given the high integration of Ivanti Endpoint Manager in enterprise environments, attackers could use this vulnerability to deploy ransomware, steal intellectual property, or establish persistent footholds. The requirement for authenticated access limits exploitation to insiders or attackers who have already compromised user credentials, but this does not diminish the risk, as insider threats and credential theft are common attack vectors. The lack of known exploits in the wild currently provides a window for proactive mitigation before widespread exploitation occurs.

European organizations should prioritize upgrading Ivanti Endpoint Manager to versions 2024 SU1 or 2022 SU7 or later, where this vulnerability is addressed. In the absence of immediate patch availability, organizations should implement strict access controls to limit authenticated user privileges, especially restricting local administrative rights. Employ application whitelisting and monitor for anomalous DLL loading behavior using endpoint detection and response (EDR) tools. Conduct regular audits of DLL search paths and ensure that directories writable by low-privileged users are not included in the DLL search order for Ivanti Endpoint Manager processes. Additionally, enforce multi-factor authentication (MFA) to reduce the risk of credential compromise. Network segmentation can limit lateral movement if exploitation occurs. Finally, maintain robust logging and alerting to detect suspicious privilege escalation attempts promptly.