When were the Ivanti Endpoint Manager vulnerabilities discovered and reported?

The vulnerabilities were discovered and privately reported to Ivanti by ZDI researchers between June and November 2024. ZDI publicly disclosed all 13 vulnerabilities on October 7, 2025, after Ivanti failed to provide patches within acceptable timeframes.

Why did ZDI publicly disclose the Ivanti vulnerabilities without patches?

Despite initial acknowledgments from Ivanti, the company repeatedly requested patching extensions, with some timelines pushed as far as March 2026. ZDI deemed these delays unacceptable given the severity of the flaws and Ivanti's troubling history of exploitation by nation-state threat actors. After notifying Ivanti of its intent to publicly release the advisories, ZDI proceeded with full disclosure, marking all 13 issues as zero-day vulnerabilities.

What is the most severe Ivanti Endpoint Manager vulnerability?

The most severe vulnerability is ZDI-CAN-26834 with a CVSS score of 8.8, which is an Ivanti Endpoint Manager Directory Traversal Remote Code Execution Vulnerability in the OnSaveToDB method.

What types of vulnerabilities affect Ivanti Endpoint Manager?

The vulnerabilities include twelve remote code execution (RCE) vulnerabilities and one local privilege escalation flaw. Most of the RCE vulnerabilities are SQL Injection flaws with CVSS scores of 7.2, while one is a directory traversal vulnerability with a CVSS score of 8.8. The privilege escalation flaw has a CVSS score of 7.8.

What is ZDI-CAN-25369?

ZDI-CAN-25369 is an Ivanti Endpoint Manager AgentPortal Deserialization of Untrusted Data Local Privilege Escalation Vulnerability with a CVSS score of 7.8.

How many SQL Injection vulnerabilities were found in Ivanti Endpoint Manager?

Eleven SQL Injection Remote Code Execution vulnerabilities were discovered in Ivanti Endpoint Manager, all with CVSS scores of 7.2. These affect various components including Report_Run2, Report_Run, Report_RunPatch, MP_VistaReport, MP_QueryDetail, GetCountForQuery, MP_QueryDetail2, PatchHistory, DBDR, MP_Report_Run2, and another Report_RunPatch endpoint.

What should organizations do to protect against these Ivanti vulnerabilities?

Organizations using Ivanti Endpoint Manager are advised to reduce their attack surface and monitor for indicators of compromise. Specifically, they should isolate and restrict access to Ivanti Endpoint Manager interfaces from the internet and implement VPN access with IP whitelisting wherever possible.

When did Ivanti request to delay patches until?

Ivanti repeatedly requested patching extensions, with some timelines pushed as far as March 2026, which ZDI deemed unacceptable given the severity of the vulnerabilities.

Why are these Ivanti vulnerabilities considered zero-days?

ZDI marked all 13 issues as zero-day vulnerabilities because there are no available patches from Ivanti at the time of public disclosure, despite the vulnerabilities being reported months earlier between June and November 2024.

What are the CVSS scores for the Ivanti Endpoint Manager vulnerabilities?

The vulnerabilities have CVSS scores ranging from 7.2 to 8.8. One vulnerability (ZDI-CAN-26834) has a CVSS score of 8.8, one (ZDI-CAN-25369) has a score of 7.8, and eleven SQL Injection vulnerabilities each have CVSS scores of 7.2.

Who discovered the Ivanti Endpoint Manager vulnerabilities?

The vulnerabilities were discovered by researchers at the Zero Day Initiative (ZDI), who privately reported them to Ivanti between June and November 2024.

Advisory

Zero Day Initiative reports 13 vulnerabilities in Ivanti Endpoint Manager

Q: Has Ivanti released patches for these vulnerabilities?

No, at the time of publication, Ivanti has not released patches for any of the disclosed vulnerabilities, despite being notified between June and November 2024.

published: Oct. 9, 2025

Take action: If you're running Ivanti Endpoint Manager, be aware that there are 13 unpatched vulnerabilities and no fixes available from the vendor. Isolate the IEM as much as possible from the internet and restrict access. Then start calling Ivanti for a patch. Hackers love Ivanti, and will try to exploit these flaws.

Learn More

The Zero Day Initiative (ZDI) has reported 13 unpatched vulnerabilities affecting Ivanti Endpoint Manager. The flaws, which Ivanti has failed to patch despite months of advance notification, include twelve remote code execution (RCE) vulnerabilities and one local privilege escalation flaw.

The vulnerabilities were discovered and privately reported to Ivanti by ZDI researchers between June and November 2024. Despite initial acknowledgments from the company, Ivanti repeatedly requested patching extensions, with some timelines pushed as far as March 2026. ZDI deems these delays unacceptable given the severity of the flaws and the company's troubling history of exploitation by nation-state threat actors. After notifying Ivanti of its intent to publicly release the advisories, ZDI proceeded with full disclosure on October 7, 2025, marking all 13 issues as zero-day vulnerabilities due to the absence of available patches.

Vulnerabilities summary:

ZDI-CAN-26834 (CVSS score 8.8) - Ivanti Endpoint Manager Directory Traversal Remote Code Execution Vulnerability in OnSaveToDB method
ZDI-CAN-25369 (CVSS score 7.8) - Ivanti Endpoint Manager AgentPortal Deserialization of Untrusted Data Local Privilege Escalation Vulnerability
ZDI-CAN-26855 (CVSS score 7.2) - Ivanti Endpoint Manager Report_Run2 SQL Injection Remote Code Execution Vulnerability
ZDI-CAN-26856 (CVSS score 7.2) - Ivanti Endpoint Manager Report_Run SQL Injection Remote Code Execution Vulnerability
ZDI-CAN-26858 (CVSS score 7.2) - Ivanti Endpoint Manager Report_RunPatch SQL Injection Remote Code Execution Vulnerability
ZDI-CAN-26860 (CVSS score 7.2) - Ivanti Endpoint Manager MP_VistaReport SQL Injection Remote Code Execution Vulnerability
ZDI-CAN-26861 (CVSS score 7.2) - Ivanti Endpoint Manager MP_QueryDetail SQL Injection Remote Code Execution Vulnerability
ZDI-CAN-26862 (CVSS score 7.2) - Ivanti Endpoint Manager GetCountForQuery SQL Injection Remote Code Execution Vulnerability
ZDI-CAN-26864 (CVSS score 7.2) - Ivanti Endpoint Manager MP_QueryDetail2 SQL Injection Remote Code Execution Vulnerability
ZDI-CAN-26865 (CVSS score 7.2) - Ivanti Endpoint Manager PatchHistory SQL Injection Remote Code Execution Vulnerability
ZDI-CAN-26866 (CVSS score 7.2) - Ivanti Endpoint Manager DBDR SQL Injection Remote Code Execution Vulnerability
ZDI-CAN-26857 (CVSS score 7.2) - Ivanti Endpoint Manager MP_Report_Run2 SQL Injection Remote Code Execution Vulnerability
ZDI-CAN-26859 (CVSS score 7.2) - Ivanti Endpoint Manager Report_RunPatch SQL Injection Remote Code Execution Vulnerability

At the time of publication, Ivanti has not released patches for any of the disclosed vulnerabilities. Organizations using Ivanti Endpoint Manager are advised to reduce their attack surface and monitor for indicators of compromise, primarily isolating and restricting access to Ivanti Endpoint Manager interfaces from the internet and implementing VPN access with IP whitelisting wherever possible.

Zero Day Initiative reports 13 vulnerabilities in Ivanti Endpoint Manager

Read More
Sophos fixes remote code execution on old unsupported …
Arista reports flaws in Arista EOS, one critical
SonicWall confirms active exploitation of two SMA vulnerabilities
Critical authentication bypass flaw reported in Ubiquiti UniFi …
Vulnerabilities in ScrutisWeb, including critical, expose remote ATMs …