Cyber Resilience

CVE-2025-9872

High

Published: 09 September 2025

Published
09 September 2025
Modified
10 October 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0258 85.9th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9872 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Ivanti Endpoint Manager. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

Insufficient filename validation, tracked as CWE-434, affects Ivanti Endpoint Manager versions prior to 2024 SU3 SR1 and 2022 SU8 SR2. The flaw carries a CVSS 3.1 score of 8.8 with network attack vector, low complexity, no required privileges, and required user interaction, resulting in high impact to confidentiality, integrity, and availability.

A remote unauthenticated attacker can leverage the weakness to achieve remote code execution when the victim performs the necessary interaction, enabling full compromise of the affected endpoint management system.

The referenced Ivanti security advisory for September 2025 directs administrators to apply the listed service releases that correct the filename validation issue in both supported branches. The associated EPSS score remains at 0.0258 with no material increase observed since disclosure.

EU & UK References

Vulnerability details

Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct RCE via unrestricted file upload (CWE-434) in a remotely accessible management application matches exploitation of public-facing apps.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-9712Same product: Ivanti Endpoint Manager
CVE-2025-13659Same product: Ivanti Endpoint Manager
CVE-2024-13162Same product: Ivanti Endpoint Manager
CVE-2026-8111Same product: Ivanti Endpoint Manager
CVE-2025-9713Same product: Ivanti Endpoint Manager
CVE-2024-13171Same product: Ivanti Endpoint Manager
CVE-2024-13167Same product: Ivanti Endpoint Manager
CVE-2024-13158Same product: Ivanti Endpoint Manager
CVE-2024-13165Same product: Ivanti Endpoint Manager
CVE-2024-13166Same product: Ivanti Endpoint Manager

Affected Assets

ivanti
endpoint manager
2022, 2024 · ≤ 2022

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely remediation of the specific filename validation flaw via patching Ivanti Endpoint Manager to fixed versions.

prevent

Requires validation of information inputs such as filenames to prevent exploitation of insufficient filename checks leading to RCE.

detect

Enables identification of this CVE through vulnerability scanning, facilitating prompt patching and risk mitigation.

References