Full Report
Multiple vulnerabilities have been discovered in Ivanti products, the most severe of which could allow for remote code execution. Ivanti Endpoint Manager is a client-based unified endpoint management softwareIvanti Connect Secure is an SSL VPN solution for remote and mobile users.Ivanti Policy Secure (IPS) is a network access control (NAC) solution which provides network access only to authorized and secured users and devices.Ivanti Neurons for Zero Trust Access (ZTA) Gateways securely connects devices to web applications, whether on-premises or in the cloud, using Zero Trust principles.Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Analysis Summary
# Vulnerability: Multiple Remote Code Execution and Authorization Flaws in Ivanti Products
## CVE Details
- CVE ID: CVE-2025-9712, CVE-2025-9872 (Most severe RCE), CVE-2025-8712, CVE-2025-55148, CVE-2025-55144, CVE-2025-8711, CVE-2025-55145, CVE-2025-55146, CVE-2025-55147, CVE-2025-55139 (Severity scores not provided in summary, but RCE is the most severe)
- CVSS Score: N/A (Specific scores not listed in summary, but RCE implies High/Critical)
- CWE: Insufficient filename validation, Missing authorization, CSRF, Unchecked return value, SSRF
## Affected Systems
- Products:
- Ivanti Endpoint Manager (EPM)
- Ivanti Connect Secure (ICS)
- Ivanti Policy Secure (IPS)
- Ivanti Neurons for Zero Trust Access (ZTA) Gateways
- Ivanti Neurons for Secure Access
- Versions:
- Ivanti Endpoint Manager: 2022 SU8 Security Update 1 and prior; 2024 SU3 and prior
- Ivanti Connect Secure: 22.7R2.8 and prior
- Ivanti Policy Secure: 22.7R1.4 and prior
- ZTA Gateways: 22.8R2.2 and prior
- Neurons for Secure Access: 22.8R1.3 and prior
- Configurations: Varies by CVE; some RCEs require user interaction. Lower severity flaws often target authenticated users (read-only admin or general admin).
## Vulnerability Description
The most severe vulnerabilities (CVE-2025-9712, CVE-2025-9872) reside in Ivanti Endpoint Manager. They stem from insufficient filename validation, which, upon successful exploitation, allows a **remote unauthenticated attacker** to achieve **Remote Code Execution (RCE)**. This exploitation requires user interaction.
Other vulnerabilities include:
* **Missing Authorization:** In ICS, IPS, ZTA, and Neurons for Secure Access, allowing authenticated users (even with read-only admin privileges) to configure restricted settings, hijack HTML5 connections, or perform specific actions based on privilege level.
* **CSRF:** Allowing remote unauthenticated attackers to execute limited or sensitive actions on behalf of a victim user, requiring user interaction.
* **Denial of Service (DoS):** Caused by an unchecked return value, targeting authenticated admin users.
* **SSRF:** Allowing authenticated admin users to enumerate internal services.
Successful exploitation of the most severe flaws leads to RCE, enabling the attacker to install programs, or view, change, or delete data, with impact scaled based on the victim's system privileges.
## Exploitation
- Status: Ivanti is not aware of any customers being exploited at the time of disclosure.
- Complexity: RCE requires user interaction. Other flaws target authenticated users or have specific prerequisites.
- Attack Vector: Network (Remote, Public-Facing Application exploitation cited for the RCEs).
## Impact
- Confidentiality: Potential loss (view/change/delete data) upon RCE.
- Integrity: Potential loss upon RCE (install programs, change/delete data).
- Availability: Potential DoS due to specific flaws targeting admin accounts.
## Remediation
### Patches
Specific patched versions are mentioned for the lower severity flaws (Fix deployed on 02-Aug-2025):
* ICS/IPS/ZTA/Neurons fixes: Versions beyond 22.7R2.9 or 22.8R2, 22.7R1.6, 22.8R2.3-723, and 22.8R1.4, respectively.
* EPM fixes for CVE-2025-9712/9872: Versions *after* 2024 SU3 Security Update 1 and *after* 2022 SU8 Security Update 2.
### Workarounds
No specific emergency workarounds were detailed in the provided summary context.
## Detection
- Indicators of compromise (IOCs): Not detailed in the provided summary.
- Detection methods and tools: Generic monitoring for exploitation attempts targeting public-facing Ivanti services related to file handling (for EPM RCE) or unauthorized access attempts (for authorization bypasses).
## References
- Vendor Advisory (General): https://www.ivanti.com/blog/september-2025-security-update (defanged: hxxps://www.ivanti.com/blog/september-2025-security-update)
- EPM Advisory: hxxps://forums.ivanti.com/s/article/Security-Advisory-September-2025-for-Ivanti-EPM-2024-SU3-and-EPM-2022-SU8?language=en_US&_gl=1*1l3213*_gcl_au*MTE4NTQxNDAxMS4xNzU3NDM5NzI5
- ICS/IPS/ZTA/Neurons Advisory: hxxps://forums.ivanti.com/s/article/September-Security-Advisory-Ivanti-Connect-Secure-Policy-Secure-ZTA-Gateways-and-Neurons-for-Secure-Access-Multiple-CVEs?language=en_US&_gl=1*1l3213*_gcl_au*MTE4NTQxNDAxMS4xNzU3NDM5NzI5