Ddos 
Ivanti has released important security updates for Ivanti Endpoint Manager (EPM), addressing two high-severity vulnerabilities that could allow remote unauthenticated attackers to achieve remote code execution (RCE). Both flaws stem from insufficient filename validation and carry a CVSS score of 8.8.
According to Ivanti, “CVE-2025-9712: Insufficient filename validation in Ivanti Endpoint Manager before 2024 SU3 Security Update 1 and 2022 SU8 Security Update 2 allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.”
A second related flaw, “CVE-2025-9872, also caused by insufficient filename validation… allows a remote unauthenticated attacker to achieve remote code execution. User interaction is required.”
Both vulnerabilities pose a serious risk to enterprises using outdated versions of EPM, particularly given the potential for malicious file uploads to trigger execution on endpoints.
The advisory specifies the following affected product versions:
- Ivanti Endpoint Manager 2022 SU8 Security Update 1 and prior
- Ivanti Endpoint Manager 2024 SU3 and prior
These issues have been fixed in:
- Ivanti Endpoint Manager 2022 SU8 Security Update 2
- Ivanti Endpoint Manager 2024 SU3 Security Update 1
While the vulnerabilities are considered high severity, Ivanti has clarified: “We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.”
However, given that exploitation requires only limited user interaction, organizations running unpatched versions are at significant risk of compromise.
Ivanti strongly advises customers to immediately upgrade to the latest patched versions, available via its software download portal. The company also emphasizes that organizations still on the 2022 branch should prepare for migration before its end-of-life date in October 2025.
Donate