CVE-2025-9712
Published: 09 September 2025
Summary
CVE-2025-9712 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Ivanti Endpoint Manager. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely identification, reporting, and patching of the insufficient filename validation flaw in Ivanti Endpoint Manager directly remediates CVE-2025-9712 as specified in the vendor advisory.
Validates filenames from external remote unauthenticated sources to block malicious inputs that could trigger remote code execution.
Implements memory protections such as DEP and ASLR to mitigate arbitrary code execution resulting from insufficient filename validation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CWE-434 filename validation flaw directly enables RCE on a network-accessible management server (T1190); exploitation requires tricking a user into opening a malicious file (T1204.002).
NVD Description
Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.
Deeper analysisAI
CVE-2025-9712 is an insufficient filename validation vulnerability (CWE-434) affecting Ivanti Endpoint Manager versions prior to 2024 SU3 SR1 and 2022 SU8 SR2. This flaw resides in the filename handling mechanism, enabling remote code execution when exploited. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), highlighting its high severity due to network accessibility, low complexity, and potential for complete system compromise.
A remote unauthenticated attacker can exploit this vulnerability by tricking an authenticated user into performing an action that triggers the faulty filename validation, such as opening a malicious file. Successful exploitation leads to arbitrary remote code execution on the targeted Endpoint Manager server, granting the attacker high levels of confidentiality, integrity, and availability impact. User interaction is required, limiting fully automated attacks but making social engineering a viable vector.
Ivanti's September 2025 security advisory details mitigation steps, including upgrading to Ivanti Endpoint Manager 2024 SU3 SR1 or 2022 SU8 SR2, where the vulnerability is addressed. Security practitioners should review the advisory at https://forums.ivanti.com/s/article/Security-Advisory-September-2025-for-Ivanti-EPM-2024-SU3-and-EPM-2022-SU8 for full patch instructions and workarounds.
Details
- CWE(s)