Hardcoded Cryptographic Key Flaws in Ivanti Workspace Control Put Credentials at Risk
Ivanti has released updates addressing three security vulnerabilities in its Workspace Control (IWC) product, each stemming from the use of hardcoded, non-configurable cryptographic keys. The flaws are considered high-severity and expose stored SQL and environment credentials to potential compromise if exploited by a local authenticated user.
Workspace Control is designed for enterprise environments, allowing IT teams to manage and secure user desktops and application access. It acts as a layer between the user and the operating system, dynamically configuring desktops and enforcing access controls based on roles and policies.
Details of the Vulnerabilities and Their Impact
The root issue behind all three CVEs is the presence of hardcoded encryption keys that cannot be changed. This design flaw enables unauthorized decryption of sensitive credentials stored within the system.
- CVE-2025-5353 and CVE-2025-22455 allow local authenticated users to decrypt SQL credentials stored on systems running IWC version 10.19.0.0 and earlier.
- CVE-2025-22463 allows similar access to decrypt the environment password, again requiring local authentication.
If the targeted account has elevated privileges, exploitation could lead to broader system compromise or privilege escalation.
“Ivanti has released updates for Ivanti Workspace Control which address three high severity vulnerabilities. Successful exploitation could lead to credential compromise,” the company confirmed in its security advisory.
| Product | Affected Versions | Resolved Versions | Patch |
|---|---|---|---|
| Ivanti Workspace Control (IWC) | 10.19.0.0 and earlier | 10.19.10.0 | Download Link |
No Signs of Exploitation So Far
According to Ivanti, there is no evidence that these vulnerabilities have been actively exploited in the wild before public disclosure.
“We are not aware of any customers being exploited by these vulnerabilities prior to public disclosure. These vulnerabilities were disclosed through our responsible disclosure program,” Ivanti stated.
Background: Recent Ivanti Vulnerabilities and End-of-Life Notice
Ivanti Workspace Control is scheduled for end-of-life in December 2026, after which no patches or technical support will be provided. This aligns with the company’s broader transition toward newer product lines.
This is not the first time Ivanti has had to address high-risk security issues in recent months:
- In May 2025, Ivanti fixed a critical authentication bypass in its Neurons for ITSM solution.
- The same month, it patched two zero-days in Endpoint Manager Mobile (EPMM) that were actively exploited in remote code execution (RCE) attacks.
- In April 2025, a Connect Secure zero-day (CVE-2025-4428) was patched after it was used by China-linked espionage group UNC5221 in malware deployment campaigns targeting government and enterprise networks.
These recent incidents reinforce the importance of timely patching, especially when dealing with products like Workspace Control that manage sensitive access credentials in enterprise environments.
