**Ivanti Warns Customers of New EPM Flaw Enabling Remote Code Execution**
A newly disclosed vulnerability in Ivanti's Endpoint Manager solution could let attackers execute code remotely, prompting the software firm to warn customers to address the issue immediately.
The vulnerability, tracked as CVE-2025-10573 (CVSS score 9.6), is a Stored XSS that affects Ivanti Endpoint Manager prior to version 2024 SU4 SR1. According to Ivanti's advisory, an unauthenticated attacker can execute arbitrary JavaScript in the context of an administrator session with just user interaction required.
Ivanti EPM is a widely used solution for remote administration and vulnerability management, allowing authenticated admins to control and install software on endpoints. Its attractiveness as a target for attackers makes this flaw particularly concerning.
Rapid7 researchers warn that an unauthenticated attacker can register fake endpoints with Ivanti EPM and inject malicious JavaScript into the admin dashboard. When an administrator views the poisoned interface, the script executes and lets the attacker hijack the admin session.
Because this flaw requires no authentication, organizations are urged to patch immediately. "An attacker with unauthenticated access to the primary EPM web service can join fake managed endpoints to the EPM server in order to poison the administrator web dashboard with malicious JavaScript," reads the report published by Rapid7.
"When an Ivanti EPM administrator views one of the poisoned dashboard interfaces during normal usage, that passive user interaction will trigger client-side JavaScript execution, resulting in the attacker gaining control of the administrator's session."
Rapid7 researchers noted that the unauthenticated incomingdata API accepts device scan data and writes it to a processing directory, where it's later parsed and displayed on the admin dashboard. Attackers can submit scans containing malicious JavaScript, which is then embedded into the interface.
When an admin views affected pages, the script executes and lets the attacker hijack the session. This occurs because the CGI handler (postcgi.exe) processes key=value scan files without sanitizing input.
Ivanti is not aware of any attacks in the wild exploiting this vulnerability. However, it's worth noting that in March, the U.S. cybersecurity agency CISA added multiple EPM vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.