Executive Summary

This advisory report provides a comprehensive technical analysis of recent high-severity vulnerabilities patched by Ivanti and Zoom. The vulnerabilities affect Ivanti Endpoint Manager and the Zoom Workplace VDI Client for Windows, both of which are widely deployed in enterprise environments. The most critical issues allow authenticated local attackers to escalate privileges, write arbitrary files, and potentially compromise entire systems. While there is currently no evidence of exploitation in the wild or targeting by advanced persistent threat (APT) groups, the technical nature and potential impact of these vulnerabilities demand immediate attention and remediation. This report details the technical aspects, exploitation potential, threat actor activity, affected versions, mitigation strategies, and provides authoritative references for further action.

Technical Information

The vulnerabilities addressed in this report are as follows: CVE-2025-10918 in Ivanti Endpoint Manager and CVE-2025-64740 in the Zoom Workplace VDI Client for Windows. Both vulnerabilities are classified as high-severity due to their potential to enable privilege escalation and system compromise.

CVE-2025-10918 in Ivanti Endpoint Manager arises from insecure default permissions (CWE-276) in the agent component. This flaw allows a local authenticated attacker to write arbitrary files to any location on the system disk. The attack vector is local, requiring only low privileges and no user interaction. The impact is significant: an attacker could overwrite critical system files, install persistent malware, or escalate privileges to gain full control over the affected endpoint. The vulnerability affects Ivanti Endpoint Manager 2024 SU3 SR1 and earlier. The issue is remediated in Ivanti Endpoint Manager 2024 SU4. Two additional vulnerabilities, CVE-2025-9713 and CVE-2025-11622, were previously disclosed in October 2025 and are also resolved in the latest patch.

CVE-2025-64740 in the Zoom Workplace VDI Client for Windows is due to improper verification of cryptographic signatures in the installer. This vulnerability allows a local attacker with low privileges to escalate to administrator by executing arbitrary code during the installation process. The attack requires local access and user interaction, such as running a malicious installer or replacing legitimate files with tampered versions. The impact includes unauthorized access to restricted files, execution of arbitrary code with elevated privileges, and potential compromise of system integrity. All versions of the Zoom Workplace VDI Client for Windows prior to 6.3.14, 6.4.12, and 6.5.10 are affected. The vulnerability is fixed in these and later versions.

Both vulnerabilities are mapped to relevant MITRE ATT&CK techniques. For Ivanti, the primary techniques are T1547 (Boot or Logon Autostart Execution), T1055 (Process Injection), and T1068 (Exploitation for Privilege Escalation). For Zoom, the techniques are T1068 (Exploitation for Privilege Escalation) and T1078 (Valid Accounts). These mappings highlight the potential for attackers to use these vulnerabilities as part of broader post-exploitation or lateral movement campaigns.

Exploitation in the Wild

As of the latest public advisories and open-source intelligence, there is no evidence that these vulnerabilities have been exploited in the wild. Ivanti has stated that it is not aware of any active exploitation or public proof-of-concept (PoC) code for CVE-2025-10918. The vulnerability was responsibly disclosed by security researcher Enrique Fernández Lorenzo (aka bighound). Similarly, Zoom and its security partners, including Mandiant (Google), have not observed exploitation of CVE-2025-64740 in the wild, and no public PoC exploit has been reported.

The absence of exploitation does not diminish the urgency of remediation. Both vulnerabilities are local privilege escalation issues, which are highly attractive to threat actors seeking to move laterally within compromised environments or to establish persistence. The technical simplicity of exploitation, especially in environments where endpoint security controls are weak or where users have unnecessary local privileges, increases the risk profile.

APT Groups using this vulnerability

No specific APT group attribution or targeted campaigns have been reported for these vulnerabilities as of this advisory. Open-source threat intelligence and MITRE ATT&CK mappings do not indicate that any known APT groups are actively exploiting CVE-2025-10918 or CVE-2025-64740. Furthermore, there is no evidence of sector-specific or country-specific targeting related to these vulnerabilities. However, the techniques enabled by these vulnerabilities—such as privilege escalation and arbitrary file writes—are commonly leveraged by a wide range of threat actors, including APTs, once initial access is obtained through other means.

Given the criticality of the affected products in enterprise environments, it is plausible that sophisticated threat actors could incorporate these vulnerabilities into their toolkits in the future, especially if public exploit code becomes available. Organizations should remain vigilant and monitor for any signs of exploitation or related TTPs in their environments.

Affected Product Versions

The affected product versions are as follows: Ivanti Endpoint Manager 2024 SU3 SR1 and earlier are vulnerable to CVE-2025-10918. Customers running the 2022 branch of Ivanti Endpoint Manager are also at risk, but this branch is end-of-life and will not receive further patches. For Zoom, all versions of the Zoom Workplace VDI Client for Windows prior to 6.3.14, 6.4.12, and 6.5.10 are affected by CVE-2025-64740. Only the specified patched versions and later are considered secure.

It is critical for organizations to inventory their deployments of Ivanti Endpoint Manager and the Zoom Workplace VDI Client for Windows to ensure that no vulnerable versions remain in production. Legacy or unsupported versions should be decommissioned or upgraded as a matter of priority.

Workaround and Mitigation

The primary mitigation for CVE-2025-10918 is to upgrade to Ivanti Endpoint Manager 2024 SU4. Customers using the 2022 branch must migrate to a supported version, as no patches will be issued for end-of-life products. There are no effective workarounds for this vulnerability; only a full upgrade will remediate the risk. Organizations should also review endpoint security policies to restrict unnecessary local privileges and monitor for unusual file write activity.

For CVE-2025-64740, organizations must update the Zoom Workplace VDI Client for Windows to version 6.3.14, 6.4.12, 6.5.10, or later. Updates should be obtained directly from the official Zoom download center to ensure authenticity. As with the Ivanti vulnerability, there are no reliable workarounds; prompt patching is the only effective mitigation. Administrators should also review software installation policies and restrict the ability of non-administrative users to install or modify system software.

In addition to patching, organizations should maintain robust endpoint detection and response (EDR) capabilities, monitor for indicators of privilege escalation, and enforce the principle of least privilege across all endpoints. Regular vulnerability scanning and configuration management are essential to ensure that all systems remain up to date and compliant with security best practices.

References

For further technical details and authoritative advisories, consult the following resources: the Ivanti Security Advisory, GBHackers on Security: Ivanti Endpoint Manager Vulnerabilities, CWE-276: Improper Default Permissions, Zoom Security Bulletin, GBHackers on Security: Zoom Workplace for Windows Flaw, and Mandiant (Google). For threat modeling and TTP mapping, refer to MITRE ATT&CK.

Rescana is here for you

At Rescana, we understand the critical importance of timely vulnerability management and third-party risk reduction. Our advanced TPRM platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. While this report focuses on recent vulnerabilities in Ivanti and Zoom, our platform provides comprehensive visibility and actionable intelligence to help you stay ahead of emerging threats. If you have any questions about this advisory or require assistance with your cybersecurity program, we are happy to help at ops@rescana.com.