Introduction
Remote code execution in an enterprise endpoint management system can enable attackers to gain privileged access to thousands of managed devices. CVE-2025-9872 is a recent example, allowing unauthenticated attackers to exploit filename validation flaws in Ivanti Endpoint Manager, with the potential for wide-reaching impact if left unpatched.
Ivanti Endpoint Manager is a widely deployed platform for centralized device management, patching, and policy enforcement across enterprise environments. Its customer base spans multiple industries and includes organizations with large-scale IT infrastructure. Security flaws in such a product have direct implications for operational security and regulatory compliance.
Technical Information
CVE-2025-9872 is caused by insufficient filename validation in Ivanti Endpoint Manager. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). Attackers can exploit this flaw by submitting files with crafted names or extensions that bypass the application's security controls. If a legitimate user interacts with the malicious file (such as uploading or opening it), the attacker can achieve remote code execution on the server.
Key technical points:
- The vulnerability allows remote unauthenticated attackers to execute arbitrary code
- User interaction is required for successful exploitation
- The flaw is present in file upload or processing functionality, where filename or file type validation is inadequate
- No public code snippets or exploit samples are available
Patch Information
Ivanti has addressed CVE-2025-9872 (and the related CVE-2025-9712) by releasing the following updates:
- Ivanti Endpoint Manager 2022 SU8 Security Update 2
- Ivanti Endpoint Manager 2024 SU3 Security Update 1
These updates strengthen filename validation and prevent unauthorized code execution. Organizations running affected versions should apply these updates immediately.
References:
Affected Systems and Versions
- Ivanti Endpoint Manager versions prior to 2024 SU3 Security Update 1
- Ivanti Endpoint Manager versions prior to 2022 SU8 Security Update 2
Any installation not updated to at least these versions is vulnerable. Both current and legacy branches are affected.
Vendor Security History
Ivanti has experienced several high-severity vulnerabilities in its product line, including:
- Multiple RCE flaws in Endpoint Manager and Endpoint Manager Mobile
- Credential theft vulnerabilities
- Some vulnerabilities have been exploited by advanced threat actors, including nation-state groups
Ivanti typically issues patches promptly and provides public advisories. However, the recurrence of similar issues indicates ongoing challenges in secure development and testing processes.