CVE-2025-9713 Overview
CVE-2025-9713 is a path traversal vulnerability in Ivanti Endpoint Manager (EPM) that allows a remote unauthenticated attacker to achieve remote code execution. The vulnerability exists in versions prior to 2024 SU4 and requires user interaction to exploit successfully. This vulnerability poses a significant risk to enterprise environments where Ivanti EPM is deployed for endpoint management and security operations.
Critical Impact
Remote unauthenticated attackers can achieve remote code execution on systems running vulnerable versions of Ivanti Endpoint Manager, potentially leading to complete system compromise and lateral movement within enterprise networks.
Affected Products
- Ivanti Endpoint Manager versions before 2024 SU4
- Ivanti Endpoint Manager 2024 (base version)
- Ivanti Endpoint Manager 2024 SU1
- Ivanti Endpoint Manager 2024 SU2
- Ivanti Endpoint Manager 2024 SU3
- Ivanti Endpoint Manager 2024 SU3 Security Release 1
Discovery Timeline
- October 13, 2025 - CVE-2025-9713 published to NVD
- November 11, 2025 - Last updated in NVD database
Technical Details for CVE-2025-9713
Vulnerability Analysis
This path traversal vulnerability (CWE-22) in Ivanti Endpoint Manager allows attackers to manipulate file paths to access files and directories outside the intended restricted directory. When exploited successfully, the vulnerability enables remote code execution on the target system without requiring authentication. The attack vector is network-based and while the attack complexity is low, it does require some form of user interaction to complete the exploitation chain.
The vulnerability affects the core endpoint management functionality, which is particularly concerning given Ivanti EPM's role in managing and securing enterprise endpoints. Successful exploitation could allow attackers to execute arbitrary code with the privileges of the EPM service, potentially leading to complete compromise of the endpoint management infrastructure.
Root Cause
The root cause of CVE-2025-9713 is improper validation of user-supplied input when processing file paths within the Ivanti Endpoint Manager application. The application fails to properly sanitize path traversal sequences (such as ../ or ..\) in user-controllable input, allowing attackers to escape the intended directory structure and access or manipulate arbitrary files on the system.
This type of vulnerability typically occurs when file operations accept external input without adequate validation, allowing malicious actors to construct paths that traverse outside the application's root directory. The lack of proper input sanitization combined with insufficient access controls enables the path traversal condition that ultimately leads to remote code execution.
Attack Vector
The attack is conducted remotely over the network against vulnerable Ivanti Endpoint Manager installations. An unauthenticated attacker can craft malicious requests containing path traversal sequences to access files outside the intended directory structure. While the attack requires user interaction, the specific user action needed to trigger the vulnerability has not been publicly disclosed.
The exploitation flow involves the attacker sending specially crafted requests to the vulnerable EPM instance that include directory traversal payloads. These payloads bypass intended directory restrictions and can be leveraged to write malicious files to arbitrary locations or execute existing files, ultimately achieving remote code execution on the target system.
The path traversal sequences allow an attacker to escape the application's web root or designated file directories, accessing sensitive system files or writing malicious payloads to locations where they can be executed. For detailed technical information, refer to the Ivanti Security Advisory October 2025.
Detection Methods for CVE-2025-9713
Indicators of Compromise
- Monitor web server and application logs for requests containing path traversal sequences such as ../, ..\, %2e%2e%2f, or %2e%2e/
- Look for unusual file access patterns or file creation in system directories that should not be accessible through the EPM web interface
- Investigate unexpected child processes spawned by Ivanti EPM service processes
- Check for modifications to critical system files or the appearance of unknown executables in web-accessible directories
Detection Strategies
- Deploy web application firewalls (WAF) with rules to detect and block path traversal attempts targeting Ivanti EPM endpoints
- Implement file integrity monitoring on Ivanti EPM installation directories and critical system paths
- Configure SIEM rules to correlate multiple path traversal attempts from the same source IP addresses
- Enable detailed logging for Ivanti EPM and forward logs to centralized security monitoring systems
Monitoring Recommendations
- Establish baseline behavior for Ivanti EPM file access patterns and alert on deviations
- Monitor network traffic to and from EPM servers for unusual outbound connections that may indicate successful exploitation
- Implement endpoint detection and response (EDR) solutions to monitor for post-exploitation activities on EPM servers
- Set up alerts for failed and successful authentication attempts to EPM administrative interfaces following path traversal attempts
How to Mitigate CVE-2025-9713
Immediate Actions Required
- Upgrade Ivanti Endpoint Manager to version 2024 SU4 or later immediately
- If immediate patching is not possible, restrict network access to Ivanti EPM servers to only authorized administrative networks
- Enable enhanced logging on EPM servers to capture potential exploitation attempts
- Review EPM server logs for any signs of prior exploitation attempts
Patch Information
Ivanti has released version 2024 SU4 to address this vulnerability. Organizations should download and apply the security update from the official Ivanti support portal. The patch information and deployment guidance are available in the Ivanti Security Advisory October 2025.
Before applying the patch, ensure you have a current backup of your EPM server and database. Test the update in a non-production environment if possible before deploying to production systems. After patching, verify the update was successful by checking the EPM version information.
Workarounds
- Implement network segmentation to isolate Ivanti EPM servers from untrusted networks and limit exposure
- Deploy a reverse proxy or web application firewall with path traversal detection rules in front of EPM servers
- Disable or restrict access to EPM web interfaces from external networks until patching can be completed
- Apply the principle of least privilege to service accounts running Ivanti EPM to limit post-exploitation impact
# Example: Restrict access to Ivanti EPM using Windows Firewall
# Block external access to EPM web interface (adjust ports as needed)
netsh advfirewall firewall add rule name="Block External EPM Access" dir=in action=block protocol=tcp localport=443 remoteip=any
netsh advfirewall firewall add rule name="Allow Internal EPM Access" dir=in action=allow protocol=tcp localport=443 remoteip=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
