CVE-2025-5353 is a high-severity vulnerability identified in Ivanti Workspace Control versions prior to 10.19.10.0. The issue stems from the use of a hardcoded cryptographic key (CWE-321) within the product, which is used to encrypt stored SQL credentials. Because the key is hardcoded and thus static and discoverable, a local attacker with authenticated access to the system can decrypt these stored credentials. This vulnerability allows an attacker to gain unauthorized access to sensitive database credentials, potentially leading to further compromise of backend systems or data stores. The CVSS v3.1 base score is 8.8, reflecting the high impact on confidentiality, integrity, and availability, with low attack complexity and requiring only low privileges and no user interaction. The vulnerability affects the confidentiality of stored credentials, integrity of the system by enabling privilege escalation or lateral movement, and availability if the attacker disrupts database operations. No known exploits are currently reported in the wild, and no patch links are provided yet, indicating that remediation may still be pending or in progress. The vulnerability requires local authenticated access, so remote exploitation without credentials is not possible, but the scope is significant due to the potential for credential exposure and subsequent attacks on backend infrastructure.

For European organizations using Ivanti Workspace Control, this vulnerability poses a significant risk. Many enterprises rely on Workspace Control for managing user environments and access, often integrating with critical SQL databases. Exposure of SQL credentials can lead to unauthorized database access, data exfiltration, or manipulation, which can compromise sensitive personal data protected under GDPR. The breach of confidentiality and integrity could result in regulatory penalties, reputational damage, and operational disruption. Given the high CVSS score and the potential for privilege escalation, attackers could leverage this vulnerability to move laterally within networks, increasing the risk of widespread compromise. Organizations in sectors such as finance, healthcare, government, and critical infrastructure in Europe, which often use Ivanti products, are particularly at risk. The requirement for local authenticated access somewhat limits the attack surface but does not eliminate risk, especially in environments with many users or where endpoint security is weak.

Organizations should prioritize upgrading Ivanti Workspace Control to version 10.19.10.0 or later once available, as this will likely address the hardcoded key issue. Until a patch is released, organizations should implement strict access controls to limit local authenticated access to only trusted administrators and users. Employing endpoint detection and response (EDR) solutions to monitor for suspicious local activity can help detect exploitation attempts. Encrypting sensitive data at rest with additional layers beyond the application’s encryption can reduce exposure. Regularly auditing and rotating database credentials stored by Workspace Control can minimize the window of opportunity for attackers. Network segmentation should be enforced to restrict access to critical SQL servers. Additionally, organizations should review logs for unusual access patterns and prepare incident response plans specific to credential compromise scenarios. Ivanti customers should engage with vendor support for any available workarounds or interim fixes.