Cyber Resilience

CVE-2025-9712

High

Published: 09 September 2025

Published
09 September 2025
Modified
10 October 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0280 86.4th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9712 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Ivanti Endpoint Manager. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Insufficient filename validation affects Ivanti Endpoint Manager versions prior to 2024 SU3 SR1 and 2022 SU8 SR2. The flaw, tracked as CWE-434, permits remote code execution when an attacker supplies a crafted filename, as reflected in the CVSS 8.8 vector that requires network access and user interaction but no authentication.

A remote unauthenticated attacker can leverage the issue to execute arbitrary code on the target system once a user performs the required interaction, resulting in full compromise of confidentiality, integrity, and availability.

The referenced Ivanti security advisory for September 2025 directs customers to apply the fixed releases 2024 SU3 SR1 and 2022 SU8 SR2. The associated EPSS score has remained flat at 0.0280 with no material increase since disclosure.

EU & UK References

Vulnerability details

Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

CWE-434 filename validation flaw directly enables RCE on a network-accessible management server (T1190); exploitation requires tricking a user into opening a malicious file (T1204.002).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-9872Same product: Ivanti Endpoint Manager
CVE-2024-13171Same product: Ivanti Endpoint Manager
CVE-2025-13659Same product: Ivanti Endpoint Manager
CVE-2024-13162Same product: Ivanti Endpoint Manager
CVE-2026-8111Same product: Ivanti Endpoint Manager
CVE-2025-9713Same product: Ivanti Endpoint Manager
CVE-2024-13172Same product: Ivanti Endpoint Manager
CVE-2024-13167Same product: Ivanti Endpoint Manager
CVE-2024-13158Same product: Ivanti Endpoint Manager
CVE-2024-13165Same product: Ivanti Endpoint Manager

Affected Assets

ivanti
endpoint manager
2022, 2024 · ≤ 2022

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely identification, reporting, and patching of the insufficient filename validation flaw in Ivanti Endpoint Manager directly remediates CVE-2025-9712 as specified in the vendor advisory.

prevent

Validates filenames from external remote unauthenticated sources to block malicious inputs that could trigger remote code execution.

prevent

Implements memory protections such as DEP and ASLR to mitigate arbitrary code execution resulting from insufficient filename validation.

References