Cyber Posture

CVE-2025-9872

High

Published: 09 September 2025

Published
09 September 2025
Modified
10 October 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0207 84.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9872 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Ivanti Endpoint Manager. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mandates timely remediation of the specific filename validation flaw via patching Ivanti Endpoint Manager to fixed versions.

SI-10 Information Input Validation good match
prevent

Requires validation of information inputs such as filenames to prevent exploitation of insufficient filename checks leading to RCE.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Enables identification of this CVE through vulnerability scanning, facilitating prompt patching and risk mitigation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Direct RCE via unrestricted file upload (CWE-434) in a remotely accessible management application matches exploitation of public-facing apps.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.

Deeper analysisAI

CVE-2025-9872 involves insufficient filename validation in Ivanti Endpoint Manager versions before 2024 SU3 SR1 and 2022 SU8 SR2. This vulnerability, published on 2025-09-09, enables remote code execution and is associated with CWE-434. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.

A remote unauthenticated attacker can exploit this flaw by leveraging the inadequate filename checks, but user interaction is required to trigger the vulnerability. Successful exploitation allows the attacker to execute arbitrary code on the affected Endpoint Manager instance, potentially granting high confidentiality, integrity, and availability impacts.

Ivanti's security advisory details mitigations, including upgrades to Endpoint Manager 2024 SU3 SR1 or 2022 SU8 SR2. Practitioners should consult the official reference at https://forums.ivanti.com/s/article/Security-Advisory-September-2025-for-Ivanti-EPM-2024-SU3-and-EPM-2022-SU8 for patch instructions and additional remediation guidance.

Details

CWE(s)
CWE-434

Affected Products

ivanti
endpoint manager
2022, 2024 · ≤ 2022

CVEs Like This One

CVE-2025-9712Same product: Ivanti Endpoint Manager
CVE-2025-13659Same product: Ivanti Endpoint Manager
CVE-2024-13171Same product: Ivanti Endpoint Manager
CVE-2025-9713Same product: Ivanti Endpoint Manager
CVE-2026-1603Same product: Ivanti Endpoint Manager
CVE-2024-13159Same product: Ivanti Endpoint Manager
CVE-2024-13160Same product: Ivanti Endpoint Manager
CVE-2024-13167Same product: Ivanti Endpoint Manager
CVE-2024-13158Same product: Ivanti Endpoint Manager
CVE-2024-10811Same product: Ivanti Endpoint Manager

References