CVE Vulnerabilities

CVE-2025-22464

Untrusted Pointer Dereference

Published: Apr 08, 2025 | Modified: May 16, 2025
CVSS 3.x
6.1
MEDIUM
Source:
NVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

An untrusted pointer dereference vulnerability in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an attacker with local access to write arbitrary data into memory causing a denial-of-service condition.

Weakness

The product obtains a value from an untrusted source, converts this value to a pointer, and dereferences the resulting pointer.

Affected Software

Name Vendor Start Version End Version
Endpoint_manager Ivanti * 2022 (excluding)
Endpoint_manager Ivanti 2022 (including) 2022 (including)
Endpoint_manager Ivanti 2022-su1 (including) 2022-su1 (including)
Endpoint_manager Ivanti 2022-su2 (including) 2022-su2 (including)
Endpoint_manager Ivanti 2022-su3 (including) 2022-su3 (including)
Endpoint_manager Ivanti 2022-su4 (including) 2022-su4 (including)
Endpoint_manager Ivanti 2022-su5 (including) 2022-su5 (including)
Endpoint_manager Ivanti 2022-su6 (including) 2022-su6 (including)
Endpoint_manager Ivanti 2024 (including) 2024 (including)

Extended Description

An attacker can supply a pointer for memory locations that the product is not expecting. If the pointer is dereferenced for a write operation, the attack might allow modification of critical state variables, cause a crash, or execute code. If the dereferencing operation is for a read, then the attack might allow reading of sensitive data, cause a crash, or set a variable to an unexpected value (since the value will be read from an unexpected memory location). There are several variants of this weakness, including but not necessarily limited to:

References