CVE-2025-6995 is a high-severity vulnerability identified in Ivanti Endpoint Manager, specifically affecting versions prior to 2024 SU3 and 2022 SU8 Security Update 1. The vulnerability arises from improper encryption practices within the agent component of the Endpoint Manager product. More precisely, passwords are stored in a recoverable format, which violates secure password storage principles (CWE-257). This flaw allows a local attacker with authenticated access to the system to decrypt and retrieve other users' passwords. The vulnerability does not require user interaction but does require the attacker to have local privileges with limited permissions (low complexity attack vector). The CVSS v3.1 score of 8.4 reflects the high impact on confidentiality and integrity, with no impact on availability. The scope is changed, indicating that the vulnerability affects resources beyond the initially compromised component. Since the attacker must be authenticated locally, exploitation is somewhat limited to insiders or users with some level of access, but the ability to decrypt other users’ passwords significantly elevates the risk of privilege escalation and lateral movement within an organization. No known exploits are currently reported in the wild, but the vulnerability's nature makes it a critical concern for organizations relying on Ivanti Endpoint Manager for endpoint security and management.

For European organizations, the impact of CVE-2025-6995 can be substantial. Ivanti Endpoint Manager is widely used in enterprise environments for managing endpoints, deploying patches, and enforcing security policies. The ability for a local authenticated attacker to decrypt other users’ passwords compromises the confidentiality of credentials, potentially leading to unauthorized access to sensitive systems and data. This can facilitate privilege escalation, lateral movement, and further compromise of the network. Given the high confidentiality and integrity impact, organizations may face data breaches, regulatory non-compliance (e.g., GDPR), and operational disruptions. The vulnerability could be exploited by malicious insiders or attackers who have gained limited access, making internal threat detection and mitigation critical. The lack of impact on availability means systems remain operational, potentially allowing stealthy exploitation over time. European organizations with strict data protection requirements and high regulatory scrutiny must prioritize remediation to avoid legal and reputational consequences.

To mitigate CVE-2025-6995 effectively, European organizations should: 1) Immediately apply the security updates provided by Ivanti (2024 SU3 or 2022 SU8 Security Update 1) to ensure the encryption flaw is corrected. 2) Audit and restrict local authenticated access to systems running Ivanti Endpoint Manager agents, enforcing the principle of least privilege to minimize the risk of insider threats. 3) Implement enhanced monitoring and logging of local authentication events and password access attempts to detect suspicious activities early. 4) Conduct regular credential hygiene reviews and enforce strong password policies, including multi-factor authentication (MFA) where possible, to reduce the impact of compromised passwords. 5) Consider isolating critical endpoint management systems and segmenting networks to limit lateral movement opportunities. 6) Educate IT and security teams about the vulnerability specifics to improve incident response readiness. 7) If patching is delayed, consider temporary compensating controls such as disabling unnecessary local accounts or restricting access to the Ivanti agent directories and files where passwords might be stored.