Ivanti Endpoint Manager CVE-2025-9712: Brief Summary of Remote Code Execution via Insufficient Filename Validation

Brief summary of CVE-2025-9712 affecting Ivanti Endpoint Manager. This post covers technical details, affected versions, patch information, and vendor security context. No proof of concept or detection methods are included.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-09

Ivanti Endpoint Manager CVE-2025-9712: Brief Summary of Remote Code Execution via Insufficient Filename Validation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Remote code execution vulnerabilities in enterprise management platforms can lead to full compromise of business-critical infrastructure. CVE-2025-9712 in Ivanti Endpoint Manager demonstrates how insufficient filename validation can expose organizations to significant risk, even when user interaction is required.

Ivanti is a major provider of IT management and security solutions, with a global customer base spanning enterprises, government agencies, and critical infrastructure sectors. Their Endpoint Manager product is widely deployed for endpoint configuration, software distribution, and device management. Security flaws in such platforms have broad implications for operational resilience and data protection.

Technical Information

CVE-2025-9712 is caused by insufficient filename validation in Ivanti Endpoint Manager. The flaw is categorized as CWE-434 (Unrestricted Upload of File with Dangerous Type). Attackers can exploit this issue by uploading files with crafted filenames that evade validation routines. This allows remote unauthenticated attackers to achieve remote code execution if a user subsequently interacts with the uploaded file through normal workflows or administrative interfaces.

The vulnerability affects file upload mechanisms present in versions prior to 2024 SU3 Security Update 1 and 2022 SU8 Security Update 2. The root cause is a lack of robust checks on user-supplied filenames, which may allow files with executable extensions or embedded scripts to be stored and later executed by the application. No public code snippets or direct exploit code are available at this time.

Exploitation grants attackers the ability to execute arbitrary code with the privileges of the application or service account, potentially resulting in full system compromise, lateral movement, and data exfiltration. The attack does not require authentication but does require user interaction, increasing the likelihood of targeted exploitation via social engineering or workflow manipulation.

Patch Information

Ivanti has addressed CVE-2025-9712 and the related CVE-2025-9872 by releasing the following security updates:

  • Ivanti Endpoint Manager 2022 SU8 Security Update 2
  • Ivanti Endpoint Manager 2024 SU3 Security Update 1

Organizations running versions prior to these updates are strongly advised to upgrade immediately. The patched versions are available through Ivanti's official software download portal. There have been no reported instances of exploitation in the wild as of the disclosure date, but prompt patching is recommended due to the severity of the issue.

Reference: https://securityonline.info/ivanti-patches-two-high-severity-rce-flaws-in-endpoint-manager/

Affected Systems and Versions

  • Ivanti Endpoint Manager versions prior to 2024 SU3 Security Update 1
  • Ivanti Endpoint Manager versions prior to 2022 SU8 Security Update 2

All configurations using affected versions are vulnerable. Both the 2022 and 2024 product branches must be updated to the specified security update levels to mitigate risk.

Vendor Security History

Ivanti has experienced multiple critical vulnerabilities across its product portfolio in 2025. Notably, CVE-2025-4427 and CVE-2025-4428 in Endpoint Manager Mobile were actively exploited in the wild, involving authentication bypass and remote code execution. Other issues, such as credential coercion vulnerabilities (CVE-2024-13159, CVE-2024-13160, CVE-2024-13161, CVE-2024-10811), have also been reported. Ivanti typically provides timely patches and advisories, but the recurring nature of severe flaws highlights ongoing challenges in secure software development and supply chain management.

References

Detect & fix
what others miss