Introduction
Remote code execution vulnerabilities in enterprise management platforms can lead to full compromise of business-critical infrastructure. CVE-2025-9712 in Ivanti Endpoint Manager demonstrates how insufficient filename validation can expose organizations to significant risk, even when user interaction is required.
Ivanti is a major provider of IT management and security solutions, with a global customer base spanning enterprises, government agencies, and critical infrastructure sectors. Their Endpoint Manager product is widely deployed for endpoint configuration, software distribution, and device management. Security flaws in such platforms have broad implications for operational resilience and data protection.
Technical Information
CVE-2025-9712 is caused by insufficient filename validation in Ivanti Endpoint Manager. The flaw is categorized as CWE-434 (Unrestricted Upload of File with Dangerous Type). Attackers can exploit this issue by uploading files with crafted filenames that evade validation routines. This allows remote unauthenticated attackers to achieve remote code execution if a user subsequently interacts with the uploaded file through normal workflows or administrative interfaces.
The vulnerability affects file upload mechanisms present in versions prior to 2024 SU3 Security Update 1 and 2022 SU8 Security Update 2. The root cause is a lack of robust checks on user-supplied filenames, which may allow files with executable extensions or embedded scripts to be stored and later executed by the application. No public code snippets or direct exploit code are available at this time.
Exploitation grants attackers the ability to execute arbitrary code with the privileges of the application or service account, potentially resulting in full system compromise, lateral movement, and data exfiltration. The attack does not require authentication but does require user interaction, increasing the likelihood of targeted exploitation via social engineering or workflow manipulation.
Patch Information
Ivanti has addressed CVE-2025-9712 and the related CVE-2025-9872 by releasing the following security updates:
- Ivanti Endpoint Manager 2022 SU8 Security Update 2
- Ivanti Endpoint Manager 2024 SU3 Security Update 1
Organizations running versions prior to these updates are strongly advised to upgrade immediately. The patched versions are available through Ivanti's official software download portal. There have been no reported instances of exploitation in the wild as of the disclosure date, but prompt patching is recommended due to the severity of the issue.
Reference: https://securityonline.info/ivanti-patches-two-high-severity-rce-flaws-in-endpoint-manager/
Affected Systems and Versions
- Ivanti Endpoint Manager versions prior to 2024 SU3 Security Update 1
- Ivanti Endpoint Manager versions prior to 2022 SU8 Security Update 2
All configurations using affected versions are vulnerable. Both the 2022 and 2024 product branches must be updated to the specified security update levels to mitigate risk.
Vendor Security History
Ivanti has experienced multiple critical vulnerabilities across its product portfolio in 2025. Notably, CVE-2025-4427 and CVE-2025-4428 in Endpoint Manager Mobile were actively exploited in the wild, involving authentication bypass and remote code execution. Other issues, such as credential coercion vulnerabilities (CVE-2024-13159, CVE-2024-13160, CVE-2024-13161, CVE-2024-10811), have also been reported. Ivanti typically provides timely patches and advisories, but the recurring nature of severe flaws highlights ongoing challenges in secure software development and supply chain management.