Ivanti has launched safety updates to deal with two high-severity vulnerabilities in its Endpoint Supervisor (EPM) software program that would permit distant code execution. The vulnerabilities, tracked as CVE-2025-9712 and CVE-2025-9872, have an effect on a number of variations of the product.
The corporate has acknowledged that it’s not conscious of any lively exploitation of those flaws within the wild on the time of disclosure.
Each CVE-2025-9712 and CVE-2025-9872 have been assigned a CVSS rating of 8.8 out of 10.0, categorizing them as high-severity. The foundation explanation for each flaws is an inadequate filename validation weak spot, cataloged as CWE-434 (Unrestricted Add of File with Harmful Sort).
Such a vulnerability can permit an attacker to add a file with a malicious or sudden kind, which may then be executed on the goal system.
For a profitable assault, a distant, unauthenticated menace actor would wish to trick a person into interacting with a specifically crafted file. This person interplay is a vital prerequisite for exploitation.
If an attacker efficiently exploits both vulnerability, they might obtain distant code execution (RCE) on the affected system, granting them the flexibility to compromise the confidentiality, integrity, and availability of the system.
The CVSS vector, AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, confirms that the assault may be launched remotely over a community, requires low complexity, wants no privileges, however depends upon person interplay.
Affected Variations and Patches
The vulnerabilities impression Ivanti Endpoint Supervisor variations 2022 SU8 Safety Replace 1 and prior, in addition to 2024 SU3 and prior variations. Ivanti has made patches obtainable to resolve these points.
Directors are strongly suggested to improve to the next safe variations: Ivanti Endpoint Supervisor 2022 SU8 Safety Replace 2 and Ivanti Endpoint Supervisor 2024 SU3 Safety Replace 1. The safety updates may be accessed by means of the Ivanti License System portal.
Actually, here’s a desk detailing the affected and patched variations of Ivanti Endpoint Supervisor.
Product NameAffected Model(s)Patched Model(s)Ivanti Endpoint Manager2024 SU3 and prior2024 SU3 Safety Replace 1Ivanti Endpoint Manager2022 SU8 Safety Replace 1 and prior2022 SU8 Safety Replace 2
Including a layer of urgency, Ivanti has reminded clients that the 2022 product department is scheduled to achieve its Finish of Life (EOL) on the finish of October 2025.
Organizations nonetheless utilizing this department are inspired not solely to use the quick safety repair but in addition to plan a migration to a totally supported model to proceed receiving safety updates and technical assist.
Ivanti has confirmed that these vulnerabilities had been reported by means of its accountable disclosure program. The corporate credited a researcher, recognized as “06fe5fd2bc53027c4a3b7e395af0b850e7b8a044,” working with Pattern Micro’s Zero Day Initiative for locating and reporting each flaws. As a result of the problems had been disclosed responsibly, Ivanti has not discovered any proof of lively exploitation or compromise.
Consequently, there are not any particular indicators of compromise (IoCs) obtainable for directors to seek for. Regardless of the absence of identified assaults, directors are urged to use the patches promptly, as menace actors typically reverse-engineer safety updates to develop exploits for unpatched techniques.
Discover this Story Attention-grabbing! Comply with us on Google Information, LinkedIn, and X to Get Extra Prompt Updates.
