Analysis Summary

Ivanti has released critical security updates addressing two high-severity vulnerabilities in its Endpoint Manager (EPM) software, tracked as CVE-2025-9712 and CVE-2025-9872. Both flaws, rated high on the CVSS scale, stem from an insufficient filename validation weakness (CWE-434), which allows attackers to upload unrestricted files with dangerous types. Although successful exploitation requires user interaction with a specially crafted file, the vulnerabilities could enable remote, unauthenticated attackers to execute arbitrary code on affected systems, threatening confidentiality, integrity, and availability. Ivanti emphasized that it has no evidence of active exploitation at the time of disclosure.

The vulnerabilities impact Ivanti Endpoint Manager versions 2024 SU3 and prior, as well as 2022 SU8 Security Update 1 and prior. To mitigate the risks, Ivanti has released patched versions: 2024 SU3 Security Update 1 and 2022 SU8 Security Update 2. Administrators are strongly advised to upgrade immediately, as unpatched systems remain highly susceptible once exploit code is developed by threat actors. The patches are available through the Ivanti License System portal.

Adding to the urgency, Ivanti reminded customers that the 2022 product branch will reach End of Life (EOL) in October 2025. Organizations still relying on this branch should not only apply the immediate fixes but also plan a migration to a fully supported version to ensure continued access to future security updates and technical support. Delayed patching or remaining on unsupported versions significantly increases the risk of compromise, given attackers’ habit of reverse-engineering patches to develop exploits.

The flaws were responsibly disclosed through Ivanti’s security program, with credit given to a researcher working with Trend Micro’s Zero Day Initiative, identified as “06fe5fd2bc53027c4a3b7e395af0b850e7b8a044.” Because the vulnerabilities were discovered and reported privately, no indicators of compromise (IoCs) are currently available. However, Ivanti strongly recommends prompt patching to preempt potential exploitation attempts once public awareness grows. Organizations that act quickly can mitigate the risk of RCE attacks and ensure their environments remain protected.

Impact

• Code Execution
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-9712

• CVE-2025-9872

Affected Vendors

Remediation

• Apply security updates immediately by upgrading to Ivanti Endpoint Manager 2024 SU3 Security Update 1 or 2022 SU8 Security Update 2, depending on your deployment.
• Plan migration from the 2022 branch before its End of Life (October 2025) to maintain security updates and vendor support.
• Restrict file uploads by implementing additional controls to block unauthorized or dangerous file types at the application and network level.
• Limit user interaction risks by educating users to avoid opening or interacting with suspicious or unexpected files.
• Monitor for suspicious activity in system logs, file uploads, and unusual endpoint behavior that may indicate attempted exploitation.
• Test and validate patches in a staging environment before deploying them to production to ensure stability and compatibility.
• Regularly update systems through a proactive patch management process to reduce exposure to future vulnerabilities.