Ivanti has disclosed 13 vulnerabilities in its Endpoint Manager (EPM) software, including two high-severity flaws that could enable remote code execution and privilege escalation, urging customers to apply mitigations while patches remain in development.

The announcement comes amid growing scrutiny of enterprise management tools, as attackers increasingly target them for supply chain compromises.

Although no exploitation in the wild has been reported, the issues highlight the risks of outdated deployments in endpoint security environments.

Critical Vulnerabilities Exposed In Endpoint Manager

Among the vulnerabilities, CVE-2025-9713 stands out as a high-severity path traversal issue with a CVSS score of 8.8, allowing unauthenticated remote attackers to execute arbitrary code if users interact with malicious files.

This flaw, rooted in CWE-22, exploits weak input validation during configuration imports, potentially letting adversaries upload and run malicious payloads on the EPM Core server.

Complementing it is CVE-2025-11622, an insecure deserialization vulnerability (CVSS 7.8, CWE-502) that permits local authenticated users to escalate privileges, granting unauthorized access to sensitive system resources.

The remaining 11 vulnerabilities are medium-severity SQL injection flaws (each CVSS 6.5, CWE-89), such as CVE-2025-11623 and CVE-2025-62392 through CVE-2025-62384.

These allow remote authenticated attackers to extract arbitrary data from the database, including credentials or configuration details, without needing user interaction beyond initial authentication.

Ivanti noted that all issues were responsibly reported by researcher 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044 via Trend Micro’s Zero Day Initiative, underscoring the value of coordinated disclosure in bolstering defenses.

No proof-of-concept exploits or indicators of compromise (IoCs) have been publicly released, as Ivanti confirmed no active attacks at disclosure time.

However, the potential for data exfiltration via SQL injections could aid broader campaigns, similar to past incidents targeting management consoles like those from SolarWinds or Log4j.

Ivanti EPM versions 2024 SU3 SR1 and earlier are affected, with the 2022 branch now end-of-life as of October 2025, leaving users without official support.

For the high-severity CVEs, fixes are slated for EPM 2024 SU4, expected November 12, 2025. The SQL injections will follow in SU5 during Q1 2026, delayed due to the complexity of resolving them without disrupting reporting features.

Ivanti emphasized that upgrading to the latest 2024 release already mitigates much of the risk through enhanced security controls. Customers on EOL versions face heightened exposure and should migrate promptly to avoid unpatched vulnerabilities.

The company’s FAQ addresses concerns, noting that while patches are forthcoming, immediate mitigations can secure environments in the interim.

Mitigations

To counter CVE-2025-11622, Ivanti recommends firewall whitelisting to block high-range TCP ports and restricting Core server access to local EPM administrators only, aligning with established best practices.

For the path traversal in CVE-2025-9713, users must avoid importing untrusted configuration files and thoroughly vet any necessary ones, as such actions inherently carry risks.

The SQL injection cluster can be addressed by removing the Reporting database user, though this disables analytics features, a trade-off detailed in Ivanti’s documentation. Overall, staying on EPM 2024 SU3 SR1 or later provides layered protections, reducing exploit viability.

Ivanti’s disclosure, despite pending patches, prioritizes transparency, allowing proactive defenses in a landscape where endpoint managers are prime targets for ransomware and APT groups. Organizations should audit their EPM setups and consult Ivanti’s Success Portal for tailored support.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Ivanti Patches 13 Vulnerabilities in Endpoint Manager Allowing Remote Code Execution appeared first on Cyber Security News.

A critical vulnerability in the widely used Sudo utility has come under scrutiny following the public release of a proof-of-concept exploit, raising alarms for Linux system administrators worldwide.

CVE-2025-32463 targets the chroot feature in Sudo versions 1.9.14 through 1.9.17, enabling local attackers to escalate privileges to root level with minimal effort.

Discovered by security researcher Rich Mirch, this flaw exploits how Sudo handles user-specified root directories, potentially allowing unauthorized command execution as the superuser.

The issue, rated at a CVSS score of 9.3, critical, underscores ongoing risks in privilege management tools essential to Unix-like operating systems.

Reports indicate active exploitation in the wild, prompting urgent calls for patching from organizations like CISA.

This development arrives amid a surge in Sudo-related vulnerabilities, highlighting the tool’s persistent role as a prime target for attackers seeking deeper system access.

The vulnerability stems from Sudo’s improper resolution of paths when using the –chroot option, introduced in version 1.9.14 to support user-defined root environments.

In affected versions, an attacker can craft a malicious /etc/nsswitch.conf file within a controlled directory, tricking Sudo into loading an arbitrary shared library during command evaluation.

This bypasses sudoers file restrictions, granting root privileges even to users not explicitly authorized for escalation.

Rich Mirch identified the issue through analysis of Sudo’s path resolution logic, noting that the chroot feature’s implementation creates an error-prone vector for local privilege escalation.

The flaw does not require network access or high privileges, making it particularly dangerous in multi-user environments like servers and development machines.

Stratascale’s advisory details how this could lead to full system compromise, including data exfiltration or malware deployment.

Ubuntu and Red Hat have confirmed the vulnerability affects their distributions, with patches rolled out in recent updates.

Proof Of Concept Demonstration

The GitHub repository by researcher kh4sh3i provides a straightforward PoC exploit, demonstrating the escalation in a controlled setting.

Users clone the repository, navigate to the directory, and make the exploit.sh script executable, and run it after checking their initial user ID.

The script leverages the chroot option to manipulate Sudo’s environment, resulting in a successful privilege gain as evidenced by the post-execution ID output showing root access.

Terminal screenshots in the repo illustrate the process: starting as a low-privilege user in the lowuser group, the exploit executes via sudo, flipping the context to root@test with full administrative capabilities.

This visual proof, mirroring the attached demonstration image, confirms the vulnerability’s reliability on unpatched systems.

While intended for educational use, the PoC emphasizes the need for caution, as unauthorized deployment constitutes illegal activity. Exploit-DB hosts a similar script, underscoring the ease of adaptation for malicious purposes.

Systems running vulnerable Sudo versions face severe risks, including complete takeover by local threat actors, which could facilitate lateral movement in breached networks.

Affected products span major Linux distributions: Ubuntu 24.04 LTS, 24.10, and 25.04; Red Hat Enterprise Linux variants; and Debian-based setups with Sudo 1.9.14-1.9.17.

Legacy versions before 1.9.14 remain unaffected due to the absence of chroot support. Immediate mitigation involves updating to Sudo 1.9.17p1 or later, where the feature is deprecated and the path resolution flaw is reverted.

Administrators should enable AppArmor or SELinux profiles to constrain Sudo operations and monitor logs for suspicious chroot invocations.

CISA has added this CVE to its Known Exploited Vulnerabilities catalog, mandating federal agencies to apply patches by October 2025.

Organizations delaying updates risk heightened exposure, especially in cloud and containerized environments reliant on Sudo for automation.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post New PoC Exploit Released for Sudo Chroot Privilege Escalation Vulnerability appeared first on Cyber Security News.

Elastic has disclosed a critical vulnerability in its Elastic Cloud Enterprise (ECE) platform that allows administrators with malicious intent to execute arbitrary commands and exfiltrate sensitive data.

Tracked as CVE-2025-37729 under advisory ESA-2025-21, the flaw stems from improper neutralization of special elements in the Jinjava template engine.

This issue affects multiple versions of ECE, potentially exposing enterprise environments to severe risks if exploited by insiders or compromised admin accounts.

The vulnerability arises when specially crafted strings containing Jinjava variables are evaluated during the processing of deployment plans in the ECE admin console.

Attackers with admin privileges can inject malicious payloads into these plans, leading to code execution. The results of such executions can then be read back through ingested logs, enabling data theft or further system compromise.

Elastic emphasizes that exploitation requires access to the admin console and a deployment with the Logging+Metrics feature enabled, narrowing the threat vector to privileged users but amplifying the impact in shared or multi-tenant setups.

Elastic Cloud Enterprise Vulnerability

This flaw impacts ECE versions from 2.5.0 up to and including 3.8.1, as well as versions 4.0.0 through 4.0.1.

Organizations running these builds in production face heightened exposure, particularly those leveraging ECE for scalable cloud management in logging and metrics workloads.

The CVSS v3.1 score of 9.1 underscores its criticality, with a vector of AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating network accessibility, low complexity, high privileges required, but scope change enabling high confidentiality, integrity, and availability impacts.

While no proof-of-concept exploits have been publicly released, the advisory details how attackers could craft payloads like those mimicking interpreter commands.

For instance, injecting strings that evaluate Jinjava expressions could trigger remote code execution, similar to template injection attacks seen in other platforms.

Elastic notes that the issue does not affect standalone Elastic Stack components but is specific to ECE’s enterprise deployment orchestration.

Mitigations

Elastic urges immediate upgrades to patched versions 3.8.2 or 4.0.2, which address the neutralization flaw in the template engine.

For those unable to patch promptly, no direct workarounds exist, though organizations can limit admin console access through strict role-based controls and monitoring.

To detect potential exploitation, Elastic recommends scanning request logs with the query: (payload.name : int3rpr3t3r or payload.name : forPath). This can flag suspicious activity indicative of injected payloads.

As enterprises increasingly rely on ECE for hybrid cloud observability, this vulnerability highlights the need for vigilant privilege management.

Elastic’s rapid disclosure allows proactive defense, but delayed patching could invite insider threats or lateral movement in breached networks.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Elastic Cloud Enterprise Vulnerability Let Attackers Execute Malicious Commands appeared first on Cyber Security News.