The Zero Day Initiative (ZDI) published advisories detailing 13 unpatched vulnerabilities in Ivanti Endpoint Manager, a widely used endpoint management solution. These include 12 remote code execution (RCE) vulnerabilities and one local privilege escalation (LPE) flaw. The LPE vulnerability affects the AgentPortal service and arises from improper validation of user input, leading to deserialization of untrusted data and execution of code with SYSTEM privileges. The RCE vulnerabilities are located in multiple components such as Report_RunPatch, MP_Report_Run2, DBDR, PatchHistory, MP_QueryDetail2, MP_QueryDetail, MP_VistaReport, and Report_Run classes, as well as GetCountForQuery and OnSaveToDB methods. These RCE issues result from unsafe handling of user-supplied input used in SQL queries or file operations, enabling arbitrary code execution under the context of the service account or user. Exploitation requires authentication; some require admin credentials or user interaction, such as opening a malicious file or webpage. The most critical vulnerability has a CVSS-like score of 8.8, with others scoring 7.8 and 7.2, indicating high severity. Ivanti was notified of these flaws between November 2024 and June 2025 but has delayed patching, now targeting March 2026 for fixes. ZDI’s disclosure follows their 120-day policy, releasing limited advisories due to the vendor’s delayed response. The vulnerabilities pose significant risks, including remote arbitrary code execution and privilege escalation, which could lead to full system compromise. Currently, the primary mitigation is to restrict access and interaction with the vulnerable Endpoint Manager components until patches are released.

For European organizations, these vulnerabilities present a substantial risk, especially for enterprises relying on Ivanti Endpoint Manager for endpoint security and patch management. Successful exploitation could allow attackers to execute arbitrary code remotely, escalate privileges to SYSTEM level, and potentially gain full control over affected systems. This could lead to data breaches, disruption of IT operations, and lateral movement within networks. Given the authentication requirement, insider threats or compromised credentials could facilitate attacks. The delay in patch availability prolongs exposure, increasing the window for attackers to develop exploits. Critical infrastructure, government agencies, and large enterprises in Europe that depend on Ivanti for endpoint management are particularly vulnerable. The impact extends to confidentiality, integrity, and availability of systems, potentially affecting compliance with GDPR and other regulatory frameworks. The need for user interaction in some cases also raises the risk of social engineering attacks. Overall, the threat could disrupt business continuity and damage organizational reputation.

European organizations should immediately implement strict access controls to limit interaction with Ivanti Endpoint Manager components, especially the AgentPortal service and affected classes. Network segmentation should isolate management servers to reduce exposure. Enforce strong authentication mechanisms, including multi-factor authentication, to mitigate risks from compromised credentials. Monitor logs and network traffic for unusual activity related to Ivanti services. Employ application whitelisting and endpoint detection and response (EDR) solutions to detect and block exploitation attempts. Educate users about phishing and social engineering risks, particularly regarding opening suspicious files or links. Temporarily disable or restrict features that process user-supplied input if feasible. Maintain up-to-date backups and incident response plans tailored to potential endpoint compromise scenarios. Engage with Ivanti support for updates and prioritize patch deployment once available. Consider deploying virtual patching or compensating controls via web application firewalls or intrusion prevention systems to mitigate exploitation risks during the patch delay.