Pattern Micro’s Zero Day Initiative (ZDI) this week revealed 13 advisories describing unpatched vulnerabilities in Ivanti Endpoint Supervisor.
One of many flaws permits native attackers to raise their privileges and was reported to Ivanti in November 2024. The remaining 12 result in distant code execution (RCE) and have been reported in June 2025.
Whereas the vulnerabilities are technically not zero-days, ZDI flags the entire unpatched flaws it discloses as ‘0day’. ZDI’s advisories title the susceptible part and supply a normal description of the foundation trigger, however don’t include every other technical particulars.
No CVE identifier has been issued for these vulnerabilities, however ZDI notes that every one of them are high-severity defects. Essentially the most extreme of them has a CVSS rating of 8.8, one has a CVSS rating of seven.8, whereas the remaining 11 have CVSS scores of seven.2.
In response to ZDI, the native privilege escalation bug impacts the Endpoint Supervisor’s AgentPortal service. It exists as a result of user-supplied enter isn’t correctly validated, leading to deserialization of untrusted information and code execution with System privileges.
Additionally rooted within the lack of correct validation of user-supplied information, the RCE weaknesses have been discovered within the product’s Report_RunPatch, MP_Report_Run2, DBDR, PatchHistory, MP_QueryDetail2, MP_QueryDetail, MP_VistaReport, and Report_Run courses, and within the GetCountForQuery and OnSaveToDB strategies.
For the primary 11 of the RCE vulnerabilities, the improperly validated user-supplied enter is used to assemble SQL queries and will result in arbitrary code execution within the context of the service account. Authentication is required to use all of them.
For the final RCE problem (CVSS rating of 8.8), an improperly validated user-supplied path is utilized in file operations, resulting in code execution within the context of the person. Attackers can exploit the defect if they’ve admin credentials or if they’ll persuade a person to open a malicious web page or file.
ZDI says Ivanti was notified of the primary security gap in November 2024 and acknowledged it in January 2025. In July, the seller notified ZDI that patches can be launched in November.
Concerning the RCE flaws, Ivanti initially mentioned it will patch 10 of them in September, however then requested an extension till March 2026 for all 12, ZDI says.
Per its disclosure coverage, ZDI permits distributors 120 days to handle vulnerabilities reported to them. If by the top of the deadline the seller is unresponsive or doesn’t present an inexpensive assertion on why fixes haven’t been launched, ZDI publishes a restricted advisory on the reported security defect.
“Given the character of the vulnerability, the one salient mitigation technique is to limit interplay with the product,” ZDI notes for every of the bugs. Further info could be discovered on ZDI’s revealed advisories web page.
It’s unclear why Ivanti has not been in a position to roll out patches for these bugs inside the disclosure window, as the corporate has not revealed an advisory but. information.killnetswitch has emailed Ivanti for a press release on the matter and can replace this text if the seller responds.
