Ivanti has issued security patches for three serious vulnerabilities in its Workspace Control (IWC) platform, which stem from hardcoded cryptographic keys that cannot be changed.
These flaws could allow attackers with local access to decrypt stored SQL credentials and environment passwords, potentially escalating privileges and compromising systems.
The vulnerabilities, identified as CVE-2025-5353, CVE-2025-22455, and CVE-2025-22463, affect IWC versions 10.19.0.0 and earlier. Fortunately, there have been no reports of active exploitation prior to disclosure, and the flaws were responsibly reported. IWC, which centralizes and customizes enterprise user workspaces, is set to reach end-of-life status in December 2026.
This follows other recent Ivanti patches, including fixes for critical bugs in Neurons for ITSM and EPMM, one of which was exploited by Chinese threat actors to infiltrate government systems. Another zero-day flaw in Ivanti’s Connect Secure was similarly abused for espionage in early 2025.
Read more...