CVE-2025-9712
📛 CVE Title
CVE-2025-9712
Description
Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.
Overview
- State
- PUBLISHED
- Assigner (CNA)
- ivanti
- CVSS severity
- HIGH
- CVSS score
- 8.8 / 10
- CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H- Effective score
- 8.8 / 10 HIGH source: CNA overview
- CWE(s)
-
CWE-434 - Reserved
- 2025-08-30
- Published
- 2025-09-09 17:09 UTC
- Last updated
- 2026-02-26 18:49 UTC
- Source
- https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2025/9xxx/CVE-2025-9712.json
- Linked Threat
- CVE-2025-9712 — CVE-2025-9712
NVD triage scoring NVD CVE 2.0
Layer NVD adds on top of the CNA's CVE record — published / last-modified timestamps, exploitability / impact subscores, and the FIRST.org EPSS probability that this CVE will be exploited in the wild in the next 30 days.
- NVD published
- 2025-09-09 16:15:35 UTC
- NVD last modified
- 2025-10-10 19:25:42 UTC
- NVD CVSS v3.1
- 8.8 / 10 HIGH source: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
- NVD CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H- Exploitability subscore
- 2.8 / 10
- Impact subscore
- 5.9 / 10
- EPSS score
- 0.0274 (probability of exploitation in next 30 days)
- EPSS percentile
- 86.16% vs all CVEs — higher = more likely to be exploited, as of 2026-05-25
NVD / KEV / EPSS data refreshed 2026-05-25 20:46 UTC. Re-run the 🛰 Backfill from NVD button above to refresh.
European Union Vulnerability Database ENISA EUVD
ENISA's official EU repository for curated vulnerability intelligence. Carries a separate identifier (EUVD-YYYY-NNNN) and frequently exposes an earlier-published description + CVSS than NVD does.
- EUVD ID
-
EUVD-2025-27416 - Assigner
- ivanti
- Published
- Sep 9, 2025, 3:09:05 PM
- Updated
- Feb 26, 2026, 5:49:04 PM
- EUVD base score (CVSS 3.1)
-
8.8 / 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - EUVD-reported EPSS
- 2.8000
- Vendors
- Ivanti
- Products
-
Endpoint Manager (patch: 2022 SU8 Security Update 2)Endpoint Manager (patch: 2022 SU8 Security Release 2)Endpoint Manager (patch: 2024 SU3 Security Release 1)Endpoint Manager (patch: 2024 SU3 Security Update 1)
- Aliases
-
GHSA-f42q-g7jg-2p77
ENISA description: Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.
Affected products (1)
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Ivanti | Endpoint Manager |
2024 SU3 Security Release 1 (unaffected),
2022 SU8 Security Release 2 (unaffected)
|
— |
Affected products — CPE 2.3 (14) NVD
NVD's normalized CPE 2.3 matchers, used by vendor tools (vulnerability scanners, asset managers) for automated detection. Compare with the CNA's free-text "Affected products" section above.
cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:*cpe:2.3:a:ivanti:endpoint_manager:2022:-:*:*:*:*:*:*cpe:2.3:a:ivanti:endpoint_manager:2022:su1:*:*:*:*:*:*cpe:2.3:a:ivanti:endpoint_manager:2022:su2:*:*:*:*:*:*cpe:2.3:a:ivanti:endpoint_manager:2022:su3:*:*:*:*:*:*cpe:2.3:a:ivanti:endpoint_manager:2022:su4:*:*:*:*:*:*cpe:2.3:a:ivanti:endpoint_manager:2022:su5:*:*:*:*:*:*cpe:2.3:a:ivanti:endpoint_manager:2022:su6:*:*:*:*:*:*cpe:2.3:a:ivanti:endpoint_manager:2022:su7:*:*:*:*:*:*cpe:2.3:a:ivanti:endpoint_manager:2022:su8:*:*:*:*:*:*cpe:2.3:a:ivanti:endpoint_manager:2022:su8_security_release_1:*:*:*:*:*:*cpe:2.3:a:ivanti:endpoint_manager:2024:-:*:*:*:*:*:*cpe:2.3:a:ivanti:endpoint_manager:2024:su1:*:*:*:*:*:*cpe:2.3:a:ivanti:endpoint_manager:2024:su2:*:*:*:*:*:*
Remediations (10)
Remediations are stored against the linked Threat row; the list below is deduplicated across both pages.
-
web:blog.qualys.com
As the year winds down, Microsoft Patch Tuesday in December arrives with essential fixes and enhancements to close vulnerabilities and boost performance.
2026-05-22 15:41 UTC -
web:cybersecuritynews.com
Microsoft released its final Patch Tuesday updates of 2025 on December 9, addressing 56 security vulnerabilities across Windows, Office, Exchange Server, and other components.
2026-05-22 15:41 UTC -
web:dailysecurityreview.com
This wave of updates underscores the criticality of monitoring the KEV Catalog for timely vulnerability remediation—especially for federal agencies, which are mandated to patch listed vulnerabilities within defined time frames. Private sector organizations are also strongly advised to assess their exposure and implement risk mitigation measures.
2026-05-22 15:41 UTC -
web:feedly.com
Classification: Critical, Solution: Official Fix , Exploit Maturity: Unproven, CVSSv3.1: 8.8, CVEs : CVE-2025-9712 , CVE - 2025 -9872, Summary: Ivanti has released updates for Ivanti Endpoint Manager (EPM) which addresses high severity vulnerabilities. We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.
2026-05-22 15:41 UTC -
web:portal.msrc.microsoft.com
The Security Update Guide provides information on the latest Microsoft security updates, helping users understand and address potential vulnerabilities effectively.
2026-05-22 15:41 UTC -
web:securechaingroup.com
Learn what was included in Microsoft's December 2025 updates, the issues reported after installation, and why applying these essential Windows and Office security patches is vital for system stability and cyber protection.
2026-05-22 15:41 UTC -
web:www.absolute.com
Discover December 2025 Patch Tuesday's 57 security fixes, including 2 critical fixes. Get expert insights and patching tips to secure your systems.
2026-05-22 15:41 UTC -
web:www.cisecurity.org
<p>Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution. Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or ...
2026-05-22 15:41 UTC -
web:www.computerworld.com
Each month, the team at Readiness analyzes the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. The company's Patch Tuesday release for February ...
2026-05-22 15:41 UTC -
web:www.crowdstrike.com
Microsoft has released security updates for 57 vulnerabilities, including one actively exploited zero-day, two publicly disclosed zero-days, and two Critical, in its December 2025 Patch Tuesday rollout.
2026-05-22 15:41 UTC
Vendor references (1)
References embedded in the original CVE record by the assigning CNA.
Web references (0)
DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search.
No web references attached yet.
NVD-tagged references (1)
Reference list NVD curates from the CNA record, vendor advisories, and third-party reports. The tag chips below are NVD's analyst-assigned categories.
- https://forums.ivanti.com/s/article/Security-Advisory-September-2025-for-Ivanti-EPM-2024-SU3-and-EPM-2022-SU8 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 Vendor Advisory
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.
Raw JSON
The full cvelistV5 record. Download as CVE-2025-9712.json.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-10T03:56:10.717428Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:49:04.952Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Endpoint Manager",
"vendor": "Ivanti",
"versions": [
{
"status": "unaffected",
"version": "2024 SU3 Security Release 1",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2022 SU8 Security Release 2",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required."
}
],
"value": "Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required."
}
],
"impacts": [
{
"capecId": "CAPEC-650",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-650 Upload a Web Shell to a Web Server"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-09T21:26:42.029Z",
"orgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"shortName": "ivanti"
},
"references": [
{
"url": "https://forums.ivanti.com/s/article/Security-Advisory-September-2025-for-Ivanti-EPM-2024-SU3-and-EPM-2022-SU8"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"assignerShortName": "ivanti",
"cveId": "CVE-2025-9712",
"datePublished": "2025-09-09T15:09:05.375Z",
"dateReserved": "2025-08-29T23:03:23.691Z",
"dateUpdated": "2026-02-26T17:49:04.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}