The Cybersecurity and Infrastructure Security Agency (CISA) has announced five known exploited vulnerabilities now in its catalogue, three of which are Ivanti Endpoint Manager (EPM) vulnerabilities. According to CISA, there is evidence that these flaws are being actively exploited. 

The five flaws are: 

• Advantive VeraCore SQL Injection Vulnerability (CVE-2025-25181) 
• Advantive VeraCore Unrestricted File Upload Vulnerability (CVE-2024-57968) 
• Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability (CVE-2024-13159)
• Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability (CVE-2024-13160) 
• Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability (CVE-2024-13161) 

Heath Renfrow, CISO and Co-founder at Fenix24, states, “The three Ivanti Endpoint Manager (EPM) vulnerabilities (CVE-2024-13159, CVE-2024-13160, CVE-2024-13161) are particularly concerning due to their ability to grant remote, unauthenticated attackers full compromise of vulnerable servers. Given the recent history of Ivanti vulnerabilities, this latest development underscores the importance of rapid patching and continuous hardening to mitigate risk.” 

Understanding the risks of the unpatched Ivanti vulnerabilities 

CISA states that these flaws are common attack vectors and create a notable cyber risk for the federal enterprise. 

Renfrow remarks, “We’ve seen firsthand how adversaries quickly weaponize these types of flaws, particularly when proof-of-concept (PoC) exploits are made public. Organizations that delay patching are at risk of full domain compromise, credential theft and lateral movement by threat actors who capitalize on exposed systems. These vulnerabilities further contribute to the broader pattern of Ivanti-related security challenges over the past year, making it clear that proactive security measures — not just reactive patching — are essential.”

Chris Gray, Field CTO at Deepwatch, comments, “The dangers in not patching these flaws are very simple. We have all seen the movie: The guy in the hockey mask is armed and at your door, the lock is broken, and your family/friends are helplessly standing at your side. Are you hoping that they’ll pick someone else?

“These flaws are known, and exploits are present. Anyone with affected systems should, as CISA and others have previously said, patch them immediately. In addition, they would be wise to consider them to already be compromised. Actions should be taken to look for any behavior that maps to published IOCs, going back to the published dates of the CVEs in 2024 if possible.

“Ivanti has a significant market share with over 400,000 companies using their VPN, ICS, IPS and ZTA platforms. This size and the nature of their products are why they are being so heavily targeted. Malicious actors seek targets of opportunity, and the larger the target population, the more likely that there will be unpatched systems. A critical aspect of effective vulnerability management is tied to threat exposure. Not only are these platforms, by their very nature, exposed to the cutting edge of compromise, they are also popular enough to be popular odds.”