CVE-2025-9713
📛 CVE Title
CVE-2025-9713
Description
Path traversal in Ivanti Endpoint Manager before version 2024 SU4 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.
Overview
- State
- PUBLISHED
- Assigner (CNA)
- ivanti
- CVSS severity
- HIGH
- CVSS score
- 8.8 / 10
- CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H- Effective score
- 8.8 / 10 HIGH source: CNA overview
- CWE(s)
-
CWE-22 - Reserved
- 2025-08-30
- Published
- 2025-10-13 23:08 UTC
- Last updated
- 2026-02-26 18:47 UTC
- Source
- https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2025/9xxx/CVE-2025-9713.json
- Linked Threat
- CVE-2025-9713 — CVE-2025-9713
NVD triage scoring NVD CVE 2.0
Layer NVD adds on top of the CNA's CVE record — published / last-modified timestamps, exploitability / impact subscores, and the FIRST.org EPSS probability that this CVE will be exploited in the wild in the next 30 days.
- NVD published
- 2025-10-13 21:15:35 UTC
- NVD last modified
- 2025-11-11 15:15:36 UTC
- NVD CVSS v3.1
- 8.8 / 10 HIGH source: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
- NVD CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H- Exploitability subscore
- 2.8 / 10
- Impact subscore
- 5.9 / 10
- EPSS score
- 0.0350 (probability of exploitation in next 30 days)
- EPSS percentile
- 87.76% vs all CVEs — higher = more likely to be exploited, as of 2026-05-25
NVD / KEV / EPSS data refreshed 2026-05-25 20:45 UTC. Re-run the 🛰 Backfill from NVD button above to refresh.
European Union Vulnerability Database ENISA EUVD
ENISA's official EU repository for curated vulnerability intelligence. Carries a separate identifier (EUVD-YYYY-NNNN) and frequently exposes an earlier-published description + CVSS than NVD does.
- EUVD ID
-
EUVD-2025-34088 - Assigner
- ivanti
- Published
- Oct 13, 2025, 9:08:13 PM
- Updated
- Feb 26, 2026, 5:47:44 PM
- EUVD base score (CVSS 3.1)
-
8.8 / 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - EUVD-reported EPSS
- 3.5000
- Vendors
- Ivanti
- Products
-
Endpoint Manager (2024 SU3 SR1)Endpoint Manager (2022 SU8 SR2)Endpoint Manager (patch: 2024 SU4)
- Aliases
-
GHSA-4vv9-j5h4-6c9w
ENISA description: Path traversal in Ivanti Endpoint Manager before version 2024 SU4 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.
Affected products (1)
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Ivanti | Endpoint Manager |
2024 SU4 (unaffected)
|
— |
Affected products — CPE 2.3 (6) NVD
NVD's normalized CPE 2.3 matchers, used by vendor tools (vulnerability scanners, asset managers) for automated detection. Compare with the CNA's free-text "Affected products" section above.
cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:*cpe:2.3:a:ivanti:endpoint_manager:2024:-:*:*:*:*:*:*cpe:2.3:a:ivanti:endpoint_manager:2024:su1:*:*:*:*:*:*cpe:2.3:a:ivanti:endpoint_manager:2024:su2:*:*:*:*:*:*cpe:2.3:a:ivanti:endpoint_manager:2024:su3:*:*:*:*:*:*cpe:2.3:a:ivanti:endpoint_manager:2024:su3_security_release_1:*:*:*:*:*:*
Remediations (10)
Remediations are stored against the linked Threat row; the list below is deduplicated across both pages.
-
web:blog.talosintelligence.com
Microsoft has released its monthly security update for August 2025 , which includes 111 vulnerabilities affecting a range of products, including 13 that Microsoft marked as "critical".
2026-05-22 15:40 UTC -
web:cisa.gov
Update (08/12/ 2025 ): CISA has updated this alert to provide clarification on identifying Exchange Servers on an organization's networks and provided further guidance on running the Microsoft Exchange Health Checker. Update (08/07/ 2025 ): CISA issued Emergency Directive (ED) 25-02: Mitigate Microsoft Exchange Vulnerability in response to CVE - 2025 -53786
2026-05-22 15:40 UTC -
web:krebsonsecurity.com
Microsoft Corp. today issued security updates to fix more than 80 vulnerabilities in its Windows operating systems and software. There are no known "zero-day" or actively exploited vulnerabilities ...
2026-05-22 15:40 UTC -
web:nvd.nist.gov
Secure .gov websites use HTTPS A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
2026-05-22 15:40 UTC -
web:petri.com
If a Group Policy setting is available to roll back a fix , it is included in the Windows Update KB article and release notes as a mitigation for a known issue.
2026-05-22 15:40 UTC -
web:portal.msrc.microsoft.com
The Security Update Guide provides information on the latest Microsoft security updates, helping users understand and address potential vulnerabilities effectively.
2026-05-22 15:40 UTC -
web:www.bugcrowd.com
Vulnerability mitigation is typically considered a temporary or interim solution. While mitigation measures can reduce the immediate risk associated with vulnerabilities, they may not provide a permanent fix . Organizations should aim to prioritize and plan for complete vulnerability remediation whenever feasible and allocate resources accordingly.
2026-05-22 15:40 UTC -
web:www.forbes.com
Microsoft Exchange users are urged to mitigate a zero-day vulnerability that CISA has confirmed is under active exploitation.
2026-05-22 15:40 UTC -
web:www.oracle.com
This Critical Patch Update contains 374 new security patches across the product families listed below. Please note that an MOS note summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at October 2025 Critical Patch Update: Executive Summary and Analysis.
2026-05-22 15:40 UTC -
web:www.secure.com
Learn the difference between vulnerability remediation and mitigation , and how a risk-based strategy can strengthen your security posture.
2026-05-22 15:40 UTC
Vendor references (1)
References embedded in the original CVE record by the assigning CNA.
Web references (0)
DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search.
No web references attached yet.
NVD-tagged references (1)
Reference list NVD curates from the CNA record, vendor advisories, and third-party reports. The tag chips below are NVD's analyst-assigned categories.
- https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-October-2025 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 Vendor Advisory
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.
Raw JSON
The full cvelistV5 record. Download as CVE-2025-9713.json.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9713",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-14T03:55:15.780131Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-26T17:47:44.122Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Endpoint Manager",
"vendor": "Ivanti",
"versions": [
{
"status": "unaffected",
"version": "2024 SU4",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "<span style=\"background-color: rgb(255, 255, 255);\">Path traversal in Ivanti Endpoint Manager before version 2024 SU4 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span><br>"
}
],
"value": "Path traversal in Ivanti Endpoint Manager before version 2024 SU4 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required."
}
],
"impacts": [
{
"capecId": "CAPEC-126",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-126 Path Traversal"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-11T15:05:28.949Z",
"orgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"shortName": "ivanti"
},
"references": [
{
"url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-October-2025"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"assignerShortName": "ivanti",
"cveId": "CVE-2025-9713",
"datePublished": "2025-10-13T21:08:13.112Z",
"dateReserved": "2025-08-29T23:03:24.774Z",
"dateUpdated": "2026-02-26T17:47:44.122Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}