CVE-2025-13659

High

Published: 09 December 2025

Published

09 December 2025

Modified

11 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0061 69.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution. User interaction is required.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely patching of Ivanti Endpoint Manager to version 2024 SU4 SR1 as specified in the vendor advisory.

SI-5 Security Alerts, Advisories, and Directives partial match

prevent

Ensures receipt and dissemination of security advisories like the Ivanti advisory for CVE-2025-13659 to enable prompt flaw remediation.

SI-7 Software, Firmware, and Information Integrity partial match

preventdetect

Verifies integrity of software, firmware, and information to detect unauthorized file writes and prevent execution of malicious code from exploited dynamic resources.

Security SummaryAI

CVE-2025-13659 involves improper control of dynamically managed code resources (CWE-913) in Ivanti Endpoint Manager versions prior to 2024 SU4 SR1. Published on 2025-12-09, the vulnerability enables a remote, unauthenticated attacker to write arbitrary files on the server, with potential for remote code execution, and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H).

The attack requires user interaction to succeed, allowing a remote, unauthenticated attacker to exploit the flaw over the network with low complexity. Successful exploitation grants the ability to write arbitrary files on the affected server, which could escalate to remote code execution depending on the files written and server configuration.

Ivanti has issued a security advisory addressing this vulnerability, available at https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024, which provides details on mitigations and patches.

Details

CWE(s): CWE-913

Affected Products

ivanti

endpoint manager

2024 · ≤ 2024

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote, unauthenticated attackers to exploit a public-facing application in Ivanti Endpoint Manager for arbitrary file writes leading to potential RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024
Vendor Advisory · 3c1d8aa1-5a33-4ea4-8992-aadd6440af75