Ivanti Endpoint Manager CVE-2025-9872: Brief Summary of Critical RCE via Filename Validation Flaw

This post provides a brief summary of CVE-2025-9872, a high-severity remote code execution vulnerability in Ivanti Endpoint Manager due to insufficient filename validation. It covers affected versions, technical details, patch information, and vendor security history.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-09

Ivanti Endpoint Manager CVE-2025-9872: Brief Summary of Critical RCE via Filename Validation Flaw
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Remote code execution in an enterprise endpoint management system can enable attackers to gain privileged access to thousands of managed devices. CVE-2025-9872 is a recent example, allowing unauthenticated attackers to exploit filename validation flaws in Ivanti Endpoint Manager, with the potential for wide-reaching impact if left unpatched.

Ivanti Endpoint Manager is a widely deployed platform for centralized device management, patching, and policy enforcement across enterprise environments. Its customer base spans multiple industries and includes organizations with large-scale IT infrastructure. Security flaws in such a product have direct implications for operational security and regulatory compliance.

Technical Information

CVE-2025-9872 is caused by insufficient filename validation in Ivanti Endpoint Manager. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). Attackers can exploit this flaw by submitting files with crafted names or extensions that bypass the application's security controls. If a legitimate user interacts with the malicious file (such as uploading or opening it), the attacker can achieve remote code execution on the server.

Key technical points:

  • The vulnerability allows remote unauthenticated attackers to execute arbitrary code
  • User interaction is required for successful exploitation
  • The flaw is present in file upload or processing functionality, where filename or file type validation is inadequate
  • No public code snippets or exploit samples are available

Patch Information

Ivanti has addressed CVE-2025-9872 (and the related CVE-2025-9712) by releasing the following updates:

  • Ivanti Endpoint Manager 2022 SU8 Security Update 2
  • Ivanti Endpoint Manager 2024 SU3 Security Update 1

These updates strengthen filename validation and prevent unauthorized code execution. Organizations running affected versions should apply these updates immediately.

References:

Affected Systems and Versions

  • Ivanti Endpoint Manager versions prior to 2024 SU3 Security Update 1
  • Ivanti Endpoint Manager versions prior to 2022 SU8 Security Update 2

Any installation not updated to at least these versions is vulnerable. Both current and legacy branches are affected.

Vendor Security History

Ivanti has experienced several high-severity vulnerabilities in its product line, including:

  • Multiple RCE flaws in Endpoint Manager and Endpoint Manager Mobile
  • Credential theft vulnerabilities
  • Some vulnerabilities have been exploited by advanced threat actors, including nation-state groups

Ivanti typically issues patches promptly and provides public advisories. However, the recurrence of similar issues indicates ongoing challenges in secure development and testing processes.

References

Detect & fix
what others miss