CVE-2025-6996

Summary

Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a local authenticated attacker to decrypt other users’ passwords.

Affected Software

VendorProductVersion RangeStatus
IvantiEndpoint Manager2024 SU3unaffected
IvantiEndpoint Manager2022 SU8unaffected

Weaknesses

  • CWE-257: CWE-257 : Storing Passwords in a Recoverable Format

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References