Ivanti Endpoint Manager CVE-2025-9713 Path Traversal RCE – Brief Summary and Technical Details

This post provides a brief summary of CVE-2025-9713, a high-severity path traversal vulnerability in Ivanti Endpoint Manager that may allow remote code execution. Includes technical details, affected versions, and references for further research.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-13

Ivanti Endpoint Manager CVE-2025-9713 Path Traversal RCE – Brief Summary and Technical Details
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Remote attackers can leverage a path traversal flaw in Ivanti Endpoint Manager to achieve remote code execution, potentially compromising the entire managed environment if user interaction is present. This vulnerability, tracked as CVE-2025-9713 and rated 8.8 on the CVSS scale, targets a core enterprise management platform used across critical sectors including healthcare, finance, and government.

Ivanti Endpoint Manager is a leading unified endpoint management solution, enabling centralized control and automation for Windows, Mac, Linux, and mobile devices. Its widespread deployment makes any vulnerability in this platform especially impactful, as compromise can lead to broad organizational risk.

Technical Information

CVE-2025-9713 is a path traversal vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). The flaw exists due to insufficient validation of user-supplied path input during file system operations in Ivanti Endpoint Manager. Attackers can exploit this by crafting HTTP requests containing directory traversal sequences such as ../ to escape intended directories and manipulate file operations.

Successful exploitation allows attackers to place or execute arbitrary files outside of authorized locations, leading to remote code execution. The attack requires user interaction, typically by convincing a user to visit a malicious page or open a crafted file. If attackers obtain administrative credentials, the user interaction requirement may be bypassed, increasing the risk profile.

No public code snippets or detailed proof of concept have been released for this vulnerability. The technical details are documented in vendor advisories and third-party research, confirming the mechanism as improper path validation leading to unauthorized file system access.

Affected Systems and Versions

  • Ivanti Endpoint Manager versions prior to 2024 SU3
  • Ivanti Endpoint Manager versions prior to 2022 SU8

Systems running these versions are vulnerable if the affected file handling functionality is exposed and user interaction occurs. Both internet-exposed and internally managed deployments should be evaluated for risk.

Vendor Security History

Ivanti has faced a series of critical vulnerabilities in its endpoint management and secure access products throughout 2024 and 2025. Notable incidents include:

  • Multiple zero day vulnerabilities disclosed by the Zero Day Initiative in October 2025
  • Prior active exploitation of Ivanti Connect Secure and Policy Secure vulnerabilities by advanced threat actors
  • Patch response timelines that have sometimes extended for months, drawing scrutiny from the security research community

The vendor maintains a monthly patch cycle but has encountered challenges in rapidly addressing complex vulnerabilities.

References

Detect & fix
what others miss