Pierluigi Paganini December 09, 2025

Ivanti warns users to address a newly disclosed Endpoint Manager vulnerability that could let attackers execute code remotely.

Software firm Ivanti addressed a newly disclosed vulnerability, tracked as CVE-2025-10573 (CVSS score 9.6), in its Endpoint Manager (EPM) solution.

The vulnerability is a Stored XSS that could allow a remote unauthenticated attacker to execute arbitrary

“Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required.” reads the advisory.

The flaw impacts Ivanti Endpoint Manager prior to version 2024 SU4 SR1.

Ivanti EPM is a widely used solution for remote administration and vulnerability management. It lets authenticated admins control and install software on endpoints, making it an attractive target for attackers.

Rapid7 researchers warn that an unauthenticated attacker can register fake endpoints with Ivanti EPM and inject malicious JavaScript into the admin dashboard. When an administrator views the poisoned interface, the script executes and lets the attacker hijack the admin session. Because this flaw requires no authentication, organizations are urged to patch immediately.

“An attacker with unauthenticated access to the primary EPM web service can join fake managed endpoints to the EPM server in order to poison the administrator web dashboard with malicious JavaScript.” reads the report published by Rapid7. “When an Ivanti EPM administrator views one of the poisoned dashboard interfaces during normal usage, that passive user interaction will trigger client-side JavaScript execution, resulting in the attacker gaining control of the administrator’s session.”

Rapid7 researchers noted that the unauthenticated incomingdata API accepts device scan data and writes it to a processing directory, where it’s later parsed and displayed on the admin dashboard. Attackers can submit scans containing malicious JavaScript, which is then embedded into the interface. When an admin views affected pages, the script executes and lets the attacker hijack the session. This occurs because the CGI handler (postcgi.exe) processes key=value scan files without sanitizing input.

Ivanti is not aware of attacks in the wild exploiting this vulnerability.

In March, the U.S. cybersecurity agency CISA added multiple EPM vulnerabilities (CVE-2024-13159, CVE-2024-13160, CVE-2024-13161) to its Known Exploited Vulnerabilities (KEV) catalog

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ivanti EPM)