Severe Ivanti Bugs Let Attackers Modify Files and Gain Access

Ivanti has released security updates for its Endpoint Manager platform, addressing multiple high-severity vulnerabilities that could allow authenticated attackers to write arbitrary files to disk. 

The flaws, if exploited, could enable privilege escalation, malicious code execution, or data tampering.

Ivanti Endpoint Manager Bugs Open Door to Privilege Escalation

The most recent vulnerability, CVE-2025-10918, results from insecure default permissions in Ivanti Endpoint Manager agent versions prior to 2024 SU4. 

According to Ivanti’s advisory, the issue allows a local authenticated attacker to overwrite or create arbitrary files anywhere on the system disk. This flaw carries a CVSS score of 7.1 (High). 

The vulnerability allows a legitimate user or an attacker who has already gained local access could modify protected system files or drop malicious executables into privileged locations. 

This could result in further privilege escalation, unauthorized configuration changes, or operational disruption. 

Ivanti also addressed two additional vulnerabilities — CVE-2025-9713 and CVE-2025-11622 — originally disclosed in October 2025. 

Although the company did not reiterate full technical details in the latest bulletin, both issues contribute to the same arbitrary file write risk model. 

CVE-2025-9713 involves a path traversal flaw enabling remote code execution (RCE) through malicious file imports.

CVE-2025-11622 stems from insecure deserialization, allowing privilege escalation and arbitrary file manipulation post-compromise.

The combination of local access and arbitrary file write vulnerabilities can provide a steppingstone for more severe attacks.

For example, once an attacker gains the ability to write or modify files on disk, they may implant backdoors, alter system services, or bypass other security controls that help them move laterally across systems.

The vulnerabilities impact Ivanti Endpoint Manager 2024 SU3 SR1 and earlier versions. 

At the time of publication, Ivanti reported no known instances of active exploitation, however, the company urged organizations to apply the latest patch.

Reduce Exposure with Defense-in-Depth Measures

While applying Ivanti’s latest update is the most critical action, organizations can take additional measures to strengthen resilience and reduce exposure:

• Apply the principle of least privilege: Restrict user permissions so that only authorized personnel can modify system files or run administrative tasks. This helps limit the impact of local exploits.
• Enhance endpoint monitoring: Deploy endpoint detection and response (EDR) tools to identify unusual file writes, configuration changes, or privilege escalation attempts.
• Harden system configurations: Regularly audit and adjust file and directory permissions to ensure default settings do not expose critical system paths.
• Segment administrative access: Separate administrative networks or use jump servers to isolate privileged activities from general user access.
• Implement application control policies: Use allowlists or digital signature enforcement to block unauthorized executables and scripts.
• Maintain rigorous patch management: Establish centralized patch management workflows to ensure timely updates across all systems, especially third-party software.
• Conduct security audits: Review access logs and privilege assignments periodically to detect misconfigurations or dormant accounts that could be exploited locally.

Strengthening endpoint and system security requires a proactive, layered approach that limits potential attack vectors and minimizes the impact of local threats. 

By implementing these best practices, organizations can reduce the risk of unauthorized access, privilege abuse, and system compromise. 

The disclosure of CVE-2025-10918, along with the related Ivanti Endpoint Manager flaws, underscores how even local vulnerabilities can have enterprise-wide consequences when left unpatched. 

Although exploitation requires authenticated access, the ability to write arbitrary files on disk opens the door to privilege escalation and persistent compromise.

As attackers increasingly use automation and AI to uncover and exploit vulnerabilities at unprecedented speed, organizations must go beyond just patching.

Building true cyber resilience now requires adopting a zero-trust approach — one that enforces strict access controls, continuous verification, and assumes no user or device should be trusted by default.