Ivanti Workspace Control Vulnerabilities Let Attackers Decrypt Stored SQL Credentials

Ivanti has issued urgent security updates for its Workspace Control platform after discovering three high-severity vulnerabilities that could allow attackers to decrypt stored SQL credentials.

The company released patches addressing these security flaws, which affect versions 10.19.0.0 and earlier of the enterprise device management solution.

The vulnerabilities, identified as CVE-2025-5353, CVE-2025-22463, and CVE-2025-22455, all stem from hardcoded encryption keys within the Ivanti Workspace Control software

These security weaknesses enable local authenticated attackers to decrypt sensitive stored credentials, including SQL database passwords and environment passwords.

CVE-2025-5353 and CVE-2025-22455 both carry the highest severity rating of 8.8 on the CVSS scale, allowing attackers to decrypt stored SQL credentials.

CVE-2025-22463, with a CVSS score of 7.3, specifically targets the stored environment password. All three vulnerabilities are classified under CWE-321, indicating the use of hard-coded cryptographic keys.

The attack vector requires local access and low-level privileges, but successful exploitation could lead to complete compromise of the confidentiality, integrity, and availability of affected systems.

Local authenticated attackers could potentially gain access to database credentials, escalating their privileges within enterprise networks.

Patches Released

Ivanti has released version 10.19.10.0 as the resolved version for customers running affected software. The company emphasizes that this update is part of Ivanti Workspace Control 2025.2, which features a completely redesigned product architecture that addresses these security vulnerabilities.

Organizations using the affected software must update their TLS certificates before installing the patch. The ShieldAPI certificate needs to be imported into the Trusted Root Certificate Authorities for the Local Machine where components are installed.

The security disclosure comes as Ivanti previously announced that Workspace Control will reach end-of-life on December 31, 2026. Organizations concerned about the product’s limited remaining lifespan have the option to migrate to Ivanti User Workspace Manager as an alternative solution.

For customers reluctant to upgrade to the new architecture due to the approaching end-of-life status, Ivanti provides migration guidance to alternative platforms within their product ecosystem.

Ivanti reports no evidence of active exploitation of these vulnerabilities in customer environments at the time of disclosure. The vulnerabilities were discovered through the company’s responsible disclosure program, allowing for coordinated patches before public announcement.

The company has not identified specific indicators of compromise, as no public exploitation has been observed to date. However, organizations are strongly encouraged to apply the available patches immediately to prevent potential future attacks.

Enterprise security teams should prioritize these updates given the high severity ratings and the potential for credential compromise in business-critical environments.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access