What is the CVSS score of CVE-2025-22461?

CVE-2025-22461 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 4.1%.

Which versions of Endpoint Manager are affected by CVE-2025-22461?

Organizations using Ivanti Endpoint Manager face moderate risk from CVE-2025-22461, a SQL injection vulnerability rated CVSS 7.2.

How to fix or mitigate CVE-2025-22461?

Within 7 days: Identify all affected systems running Ivanti Endpoint Manager and apply vendor patches promptly. Validate that input sanitization is in place for all user-controlled parameters.

Endpoint Manager CVE-2025-22461

HIGH

SQL Injection (CWE-89)

2025-04-08 3c1d8aa1-5a33-4ea4-8992-aadd6440af75

RCE SQLi Ivanti Endpoint Manager

7.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:35 vuln.today

CVE Published

Apr 08, 2025 - 15:15 nvd

HIGH 7.2

DescriptionNVD

SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote authenticated attacker with admin privileges to achieve code execution.

AnalysisAI

SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote authenticated attacker with admin privileges to achieve code execution. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote authenticated attacker with admin privileges to achieve code execution. Affected products include: Ivanti Endpoint Manager. Version information: version 2024.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.