EUVD-2025-17688
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
3Description
A hardcoded key in Ivanti Workspace Control before version 10.19.10.0 allows a local authenticated attacker to decrypt the stored environment password.
Analysis
Cryptographic weakness in Ivanti Workspace Control versions before 10.19.10.0 where a hardcoded encryption key is embedded in the application, allowing authenticated local attackers to decrypt stored environment passwords. This vulnerability enables privilege escalation and lateral movement within affected environments. The CVSS 7.3 score reflects high confidentiality and integrity impact, though exploitation requires local access and user authentication; KEV and active exploitation status are not confirmed in available intelligence.
Technical Context
The vulnerability stems from CWE-321 (Use of Hard-Coded Cryptographic Key), a fundamental cryptographic implementation flaw where sensitive data encryption relies on a static, non-unique key embedded in application binaries or configuration files. Ivanti Workspace Control (CPE likely: cpe:2.3:a:ivanti:workspace_control:*:*:*:*:*:*:*:*) uses this hardcoded key to encrypt environment passwords stored on disk. Since the key is constant across all installations and discoverable through reverse engineering, binary analysis, or disclosed intelligence, any authenticated local user can extract stored password ciphertexts and decrypt them using the known key. This violates cryptographic best practices (per OWASP and NIST guidelines) which mandate per-instance or per-user derived keys. The root cause indicates inadequate secrets management architecture, likely lacking key derivation functions (KDF) or secure key storage mechanisms (e.g., Windows DPAPI, HSM integration).
Affected Products
Ivanti Workspace Control versions prior to 10.19.10.0 are affected. Specific CPE: cpe:2.3:a:ivanti:workspace_control:*:*:*:*:*:*:*:* (all versions < 10.19.10.0). Ivanti Workspace Control is commonly deployed in enterprise Windows environments for application virtualization and workspace management; typical affected customers include large enterprises, government agencies, and healthcare organizations using Ivanti for application streaming and desktop control. The vulnerability requires local system access and authenticated user credentials, so risk is highest in environments with high user turnover, shared workstations, or elevated remote access policies. No specific configuration or sub-product variants are mentioned, suggesting all standard installations of vulnerable versions are affected.
Remediation
1. IMMEDIATE: Upgrade Ivanti Workspace Control to version 10.19.10.0 or later (confirmed patched version from description). 2. VERIFICATION: Consult official Ivanti Security Advisory (referenced vendor advisory should be retrieved from Ivanti security bulletins at ivanti.com/security); confirm patch deployment across all affected installations. 3. POST-PATCH: Audit and rotate all environment passwords previously encrypted with the hardcoded key, as historical ciphertexts may be compromised. 4. DETECTION: Implement monitoring for suspicious local credential access patterns or mass decryption attempts in audit logs. 5. WORKAROUND (temporary, until patching): Restrict local access to Workspace Control configuration and cache directories via file system permissions; disable local user accounts with unnecessary privileges; monitor for unauthorized access to encrypted credential stores. 6. MITIGATION: Implement application whitelisting and privilege monitoring tools to restrict unauthorized credential extraction; use EDR solutions to detect anomalous local process credential access.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today