MS-ISAC urges immediate Ivanti Endpoint Manager patching

MS-ISAC did not describe this as an exploited zero-day, which matters. It also did not describe it as a leisurely maintenance item, which matters more for anyone running Ivanti Endpoint Manager in a government or contractor environment. Advisory 2025-037 covers Ivanti Endpoint Manager 2022 SU6 and earlier, plus Ivanti Endpoint Manager 2024, and says the most severe vulnerabilities could allow remote code execution in the context of the system.

The affected paths are not all the same shape. CVE-2025-22465 is reflected cross-site scripting reachable by a remote unauthenticated attacker, though MS-ISAC says unlikely user interaction is required. CVE-2025-22466 is another reflected XSS issue that can let a remote unauthenticated attacker obtain admin privileges with user interaction. CVE-2025-22458 is authenticated DLL hijacking that can escalate to System. CVE-2025-22461 is SQL injection by a remote authenticated attacker with admin privileges that can achieve code execution. Lower-severity issues include local denial of service and improper certificate validation that could permit interception of limited client-server traffic.

For practitioners, the Monday work is plain: identify EPM 2022 SU6 and earlier and EPM 2024 instances, validate the Ivanti update path to 2022 SU7 or 2024 SU1, and patch after testing. The compliance wrapper is familiar, vulnerability management, least privilege, scanning, segmentation and exploit protection. The operational point is narrower: an endpoint management server already sits close to the machinery attackers want. If it is vulnerable, waiting for confirmed exploitation is not a control strategy.