CVE-2025-9713

High

Published: 13 October 2025

Published

13 October 2025

Modified

11 November 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0171 82.4th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-9713 is a path traversal vulnerability (CWE-22) in Ivanti Endpoint Manager versions prior to 2024 SU4. Published on 2025-10-13, it allows a remote unauthenticated attacker to achieve remote code execution, with user interaction required. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A remote unauthenticated attacker can exploit this over the network with low attack complexity and no required privileges. Exploitation necessitates user interaction, enabling the attacker to achieve high impacts on confidentiality, integrity, and availability within the affected scope.

Mitigation details are available in the Ivanti Security Advisory at https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-October-2025.

Details

CWE(s): CWE-22

Affected Products

ivanti

endpoint manager

2024 · ≤ 2024

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Path traversal vulnerability in public-facing Ivanti Endpoint Manager enables remote unauthenticated RCE via exploitation of public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-October-2025
Vendor Advisory · 3c1d8aa1-5a33-4ea4-8992-aadd6440af75