Cyber Resilience

CVE-2025-13659

High

Published: 09 December 2025

Published
09 December 2025
Modified
11 December 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0117 79.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13659 is a high-severity Improper Control of Dynamically-Managed Code Resources (CWE-913) vulnerability in Ivanti Endpoint Manager. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-5 (Security Alerts, Advisories, and Directives).

Deeper analysis

CVE-2025-13659 involves improper control of dynamically managed code resources (CWE-913) in Ivanti Endpoint Manager versions prior to 2024 SU4 SR1. Published on 2025-12-09, the vulnerability enables a remote, unauthenticated attacker to write arbitrary files on the server, with potential for remote code execution, and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H).

The attack requires user interaction to succeed, allowing a remote, unauthenticated attacker to exploit the flaw over the network with low complexity. Successful exploitation grants the ability to write arbitrary files on the affected server, which could escalate to remote code execution depending on the files written and server configuration.

Ivanti has issued a security advisory addressing this vulnerability, available at https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024, which provides details on mitigations and patches.

EU & UK References

Vulnerability details

Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution. User interaction is required.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables remote, unauthenticated attackers to exploit a public-facing application in Ivanti Endpoint Manager for arbitrary file writes leading to potential RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13162Same product: Ivanti Endpoint Manager
CVE-2025-9713Same product: Ivanti Endpoint Manager
CVE-2026-8111Same product: Ivanti Endpoint Manager
CVE-2025-9872Same product: Ivanti Endpoint Manager
CVE-2024-13163Same product: Ivanti Endpoint Manager
CVE-2024-13167Same product: Ivanti Endpoint Manager
CVE-2025-9712Same product: Ivanti Endpoint Manager
CVE-2026-1603Same product: Ivanti Endpoint Manager
CVE-2024-13165Same product: Ivanti Endpoint Manager
CVE-2024-13158Same product: Ivanti Endpoint Manager

Affected Assets

ivanti
endpoint manager
2024 · ≤ 2024

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely patching of Ivanti Endpoint Manager to version 2024 SU4 SR1 as specified in the vendor advisory.

prevent

Ensures receipt and dissemination of security advisories like the Ivanti advisory for CVE-2025-13659 to enable prompt flaw remediation.

preventdetect

Verifies integrity of software, firmware, and information to detect unauthorized file writes and prevent execution of malicious code from exploited dynamic resources.

References