CVE-2025-9872
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-10-10
Assigner: ivanti
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ivanti | endpoint_manager | to 2022 (exc) |
| ivanti | endpoint_manager | 2022 |
| ivanti | endpoint_manager | 2022 |
| ivanti | endpoint_manager | 2022 |
| ivanti | endpoint_manager | 2022 |
| ivanti | endpoint_manager | 2022 |
| ivanti | endpoint_manager | 2022 |
| ivanti | endpoint_manager | 2022 |
| ivanti | endpoint_manager | 2022 |
| ivanti | endpoint_manager | 2022 |
| ivanti | endpoint_manager | 2022 |
| ivanti | endpoint_manager | 2024 |
| ivanti | endpoint_manager | 2024 |
| ivanti | endpoint_manager | 2024 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is due to insufficient filename validation in Ivanti Endpoint Manager versions before 2024 SU3 Security Update 1 and 2022 SU8 Security Update 2. It allows a remote unauthenticated attacker to execute remote code on the affected system, but requires user interaction to be successful.
How can this vulnerability impact me? :
The vulnerability can lead to remote code execution by an unauthenticated attacker, potentially allowing them to take control of the affected system. This can result in confidentiality, integrity, and availability impacts, such as data theft, system compromise, or disruption of services.