517/68 Thursday, December 11, 2025
Ivanti has issued a security advisory warning customers of a high-severity vulnerability in Ivanti Endpoint Manager (EPM), identified as CVE-2025-10573 with a CVSS score of 9.6. The flaw is a Stored Cross-Site Scripting (Stored XSS) vulnerability that allows an unauthenticated attacker to inject malicious JavaScript into the system. Once an administrator views a dashboard containing the malicious script, the attacker could hijack the administrator’s session. The issue affects versions prior to 2024 SU4 SR1.
According to analysis from Rapid7, attackers can register a rogue device in the EPM system and upload scan data containing embedded JavaScript. When this data is processed and displayed in the administrator dashboard, the script executes automatically-allowing the attacker to take over the admin session. The root cause lies in an internal API that accepts unvalidated data and fails to sanitize inputs before rendering them through a CGI handler, creating a critical attack surface. Although no in-the-wild exploitation has been reported yet, the lack of authentication requirements makes the vulnerability highly susceptible to widespread attacks.
Ivanti strongly recommends that users update to the latest version immediately to mitigate the risk. Security experts warn that leaving such a vulnerability unpatched could allow attackers to gain administrative privileges and compromise critical infrastructure within an organization. CISA has previously added several other EPM vulnerabilities to the Known Exploited Vulnerabilities (KEV) Catalog, and it is expected that this newly disclosed flaw will be closely monitored and treated as a significant risk requiring urgent remediation.
