Introduction
Remote attackers can leverage a path traversal flaw in Ivanti Endpoint Manager to achieve remote code execution, potentially compromising the entire managed environment if user interaction is present. This vulnerability, tracked as CVE-2025-9713 and rated 8.8 on the CVSS scale, targets a core enterprise management platform used across critical sectors including healthcare, finance, and government.
Ivanti Endpoint Manager is a leading unified endpoint management solution, enabling centralized control and automation for Windows, Mac, Linux, and mobile devices. Its widespread deployment makes any vulnerability in this platform especially impactful, as compromise can lead to broad organizational risk.
Technical Information
CVE-2025-9713 is a path traversal vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The flaw exists due to insufficient validation of user-supplied path input during file system operations in Ivanti Endpoint Manager. Attackers can exploit this by crafting HTTP requests containing directory traversal sequences such as ../
to escape intended directories and manipulate file operations.
Successful exploitation allows attackers to place or execute arbitrary files outside of authorized locations, leading to remote code execution. The attack requires user interaction, typically by convincing a user to visit a malicious page or open a crafted file. If attackers obtain administrative credentials, the user interaction requirement may be bypassed, increasing the risk profile.
No public code snippets or detailed proof of concept have been released for this vulnerability. The technical details are documented in vendor advisories and third-party research, confirming the mechanism as improper path validation leading to unauthorized file system access.
Affected Systems and Versions
- Ivanti Endpoint Manager versions prior to 2024 SU3
- Ivanti Endpoint Manager versions prior to 2022 SU8
Systems running these versions are vulnerable if the affected file handling functionality is exposed and user interaction occurs. Both internet-exposed and internally managed deployments should be evaluated for risk.
Vendor Security History
Ivanti has faced a series of critical vulnerabilities in its endpoint management and secure access products throughout 2024 and 2025. Notable incidents include:
- Multiple zero day vulnerabilities disclosed by the Zero Day Initiative in October 2025
- Prior active exploitation of Ivanti Connect Secure and Policy Secure vulnerabilities by advanced threat actors
- Patch response timelines that have sometimes extended for months, drawing scrutiny from the security research community
The vendor maintains a monthly patch cycle but has encountered challenges in rapidly addressing complex vulnerabilities.