ZDI Drops 13 Unpatched Ivanti Endpoint Manager Vulnerabilities

Trend Micro’s Zero Day Initiative (ZDI) this week published 13 advisories describing unpatched vulnerabilities in Ivanti Endpoint Manager.

One of the flaws allows local attackers to elevate their privileges and was reported to Ivanti in November 2024. The remaining 12 lead to remote code execution (RCE) and were reported in June 2025.

While the vulnerabilities are technically not zero-days, ZDI flags all of the unpatched flaws it discloses as ‘0day’. ZDI’s advisories name the vulnerable component and provide a general description of the root cause, but do not contain any other technical details.

No CVE identifier has been issued for these vulnerabilities, but ZDI notes that all of them are high-severity defects. The most severe of them has a CVSS score of 8.8, one has a CVSS score of 7.8, while the remaining 11 have CVSS scores of 7.2.

According to ZDI, the local privilege escalation bug affects the Endpoint Manager’s AgentPortal service. It exists because user-supplied input is not properly validated, resulting in deserialization of untrusted data and code execution with System privileges.

Also rooted in the lack of proper validation of user-supplied data, the RCE weaknesses were found in the product’s Report_RunPatch, MP_Report_Run2, DBDR, PatchHistory, MP_QueryDetail2, MP_QueryDetail, MP_VistaReport, and Report_Run classes, and in the GetCountForQuery and OnSaveToDB methods.

For the first 11 of the RCE vulnerabilities, the improperly validated user-supplied input is used to construct SQL queries and could lead to arbitrary code execution in the context of the service account. Authentication is required to exploit all of them.

For the last RCE issue (CVSS score of 8.8), an improperly validated user-supplied path is used in file operations, leading to code execution in the context of the user. Attackers can exploit the defect if they have admin credentials or if they can convince a user to open a malicious page or file.

ZDI says Ivanti was notified of the first security hole in November 2024 and acknowledged it in January 2025. In July, the vendor notified ZDI that patches would be released in November.

Regarding the RCE flaws, Ivanti initially said it would patch 10 of them in September, but then requested an extension until March 2026 for all 12, ZDI says.

Per its disclosure policy, ZDI allows vendors 120 days to address vulnerabilities reported to them. If by the end of the deadline the vendor is unresponsive or does not provide a reasonable statement on why fixes have not been released, ZDI publishes a limited advisory on the reported security defect.

“Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the product,” ZDI notes for each of the bugs. Additional information can be found on ZDI’s published advisories page.

It is unclear why Ivanti has not been able to roll out patches for these bugs within the disclosure window, as the company has not published an advisory yet. SecurityWeek has emailed Ivanti for a statement on the matter and will update this article if the vendor responds.

Related: Sophisticated Malware Deployed in Oracle EBS Zero-Day Attacks

Related: CISA Analyzes Malware From Ivanti EPMM Intrusions

Related: Chinese Spies Exploit Ivanti Vulnerabilities Against Critical Sectors

Related: Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability