CVE-2025-6996 is a high-severity vulnerability identified in Ivanti Endpoint Manager, specifically in versions prior to 2024 SU3 and 2022 SU8 Security Update 1. The vulnerability arises from improper encryption practices within the agent component of the Endpoint Manager product. It involves storing passwords in a recoverable format, which violates secure password storage principles (CWE-257). This flaw allows a local authenticated attacker—someone who already has limited access to the system—to decrypt passwords belonging to other users. The vulnerability does not require user interaction but does require the attacker to have local privileges with low complexity to exploit. The CVSS 3.1 base score of 8.4 reflects the high impact on confidentiality and integrity, with no impact on availability. The scope is changed, indicating that exploitation affects resources beyond the initially compromised component. Since the vulnerability allows decryption of other users’ passwords, it could lead to privilege escalation, lateral movement, and further compromise within the affected environment. Although no known exploits are currently reported in the wild, the vulnerability’s nature and impact make it a significant risk for organizations using Ivanti Endpoint Manager, especially in environments where multiple users share the same endpoint or where sensitive credentials are managed by the agent. The lack of available patches at the time of this report underscores the urgency for organizations to monitor vendor updates and apply security updates promptly once released.

For European organizations, the impact of CVE-2025-6996 can be substantial. Ivanti Endpoint Manager is widely used for endpoint management, patching, and security policy enforcement across various sectors including government, finance, healthcare, and critical infrastructure. The ability for a local authenticated attacker to decrypt other users’ passwords threatens the confidentiality of sensitive credentials, potentially enabling unauthorized access to privileged accounts and sensitive data. This can lead to data breaches, regulatory non-compliance (e.g., GDPR violations), and operational disruptions. In multi-user environments common in European enterprises, such as shared workstations or virtual desktop infrastructures, the risk of lateral movement and privilege escalation is heightened. Additionally, organizations subject to strict data protection laws may face legal and reputational consequences if credential compromise leads to data exposure. The vulnerability’s exploitation could also undermine trust in endpoint management solutions, complicating security operations and incident response efforts.

1. Immediate mitigation should focus on restricting local access to systems running Ivanti Endpoint Manager agents to trusted personnel only, minimizing the risk of local authenticated attackers. 2. Implement strict access controls and monitoring on endpoints to detect unusual local activity or attempts to access password stores. 3. Employ endpoint detection and response (EDR) tools to identify suspicious behavior indicative of credential decryption attempts. 4. Enforce the principle of least privilege for all users to reduce the impact of compromised accounts. 5. Regularly audit and rotate credentials stored or managed by the Endpoint Manager to limit exposure duration. 6. Monitor Ivanti’s official channels for security updates and apply patches immediately once available. 7. Consider isolating critical systems or sensitive user accounts from general endpoint management agents until the vulnerability is remediated. 8. Educate IT staff and users about the risks of local credential compromise and the importance of secure authentication practices. 9. If possible, implement multi-factor authentication (MFA) to reduce the risk of credential misuse even if passwords are compromised.