cbcvebase.
CVE-2025-9872
published 2025-09-09

CVE-2025-9872: Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote…

PriorityP271high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
13.47%
96.0th percentile
Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 SR1 and 2022 SU8 SR2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.

Affected

3 ranges
VendorProductVersion rangeFixed in
ivantiendpoint_manager< 20222022
ivantiendpoint_manager
ivantiendpoint_manager

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability class is CWE-434 (Unrestricted Upload of File with Dangerous Type) — monitor for suspicious file uploads to Ivanti Endpoint Manager endpoints, particularly files with unexpected or double extensions that bypass filename validation
  • Attack is remotely exploitable by unauthenticated attackers but requires user interaction — consider alerting on unauthenticated file upload requests to Ivanti EPM web-facing components combined with subsequent process execution anomalies
  • ·Patched versions are 2024 SU3 SR1 and 2022 SU8 SR2 — verify deployed Ivanti Endpoint Manager version is at or above these thresholds to confirm exposure
  • ·CVSS score of 8.8 (HIGH) with CWE-434 indicates the attack vector is network-based file upload; ensure perimeter controls restrict unauthenticated access to Ivanti EPM upload functionality
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.