CVE-2025-9713
📋 TL;DR
CVE-2025-9713 is a path traversal vulnerability in Ivanti Endpoint Manager (EPM) that allows remote unauthenticated attackers to achieve remote code execution when user interaction occurs. This affects organizations using Ivanti EPM versions before 2024 SU4. Attackers can exploit this to execute arbitrary code on vulnerable systems.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise leading to data exfiltration, ransomware deployment, or lateral movement across the network.
Likely Case
Initial foothold for attackers to establish persistence, deploy malware, or steal credentials from the compromised EPM server.
If Mitigated
Limited impact if proper network segmentation, EDR solutions, and least privilege principles are implemented.
🎯 Exploit Status
Path traversal vulnerabilities are typically straightforward to exploit once the specific vulnerable endpoint is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024 SU4 or later
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-October-2025
Restart Required: Yes
Instructions:
1. Download Ivanti EPM 2024 SU4 or later from the Ivanti portal. 2. Backup current configuration and database. 3. Run the installer with administrative privileges. 4. Restart the EPM server and verify functionality.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to Ivanti EPM servers to only trusted administrative networks.
Web Application Firewall Rules
allImplement WAF rules to block path traversal patterns in HTTP requests to EPM endpoints.
🧯 If You Can't Patch
- Implement strict network access controls to limit EPM server exposure
- Deploy endpoint detection and response (EDR) solutions with behavioral monitoring
🔍 How to Verify
Check if Vulnerable:
Check Ivanti EPM version in the console under Help > About. If version is earlier than 2024 SU4, the system is vulnerable.Check Version:
Not applicable - check through Ivanti EPM console interfaceVerify Fix Applied:
After patching, verify the version shows 2024 SU4 or later in the console and test EPM functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in EPM logs
- HTTP requests containing directory traversal sequences (../)
Network Indicators:
- Unusual outbound connections from EPM server
- HTTP requests to EPM endpoints with path traversal payloads
SIEM Query:
source="epm_logs" AND ("../" OR "..\" OR "%2e%2e%2f")