Ivanti patches critical XSS flaw and three high-severity Flaws in Endpoint Manager
Take action: Make sure your Ivanti Endpoint Manager is isolated from the internet and accessible only from trusted networks. Then plan a very quick upgrade to version 2024 SU4 SR1. Priority is the unauthenticated stored XSS vulnerability that could let attackers take control of your system.
Learn More
Ivanti has released a security update for Ivanti Endpoint Manager (EPM) patching four vulnerabilities in the EPM core and remote consoles, including one critical severity flaw.
Vulnerabilities summary:
- CVE-2025-10573 (CVSS score 9.6) - Stored XSS vulnerability allowing a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. It exploits the 'incomingdata' web API that processes device scan data. An unauthenticated attacker can submit device scan data containing malicious XSS payloads through a POST request to the postcgi.exe CGI binary. The submitted scan data, written in a simple key=value format, is automatically processed and unsafely embedded in the administrative web dashboard without proper sanitization. When an EPM administrator views dashboard pages displaying device information during normal usage, the malicious JavaScript payloads execute in their browser, giving the attacker control of the administrator's session.
- CVE-2025-13659 (CVSS score 8.8) - Improper control of dynamically managed code resources allowing a remote unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution
- CVE-2025-13661 (CVSS score 7.1) - Path traversal vulnerability allowing a remote authenticated attacker to write arbitrary files outside the intended directory
- CVE-2025-13662 (CVSS score 7.8) - Improper verification of cryptographic signatures in the patch management component allowing a remote unauthenticated attacker to execute arbitrary code
The vulnerabilities affect Ivanti Endpoint Manager version 2024 SU4 and all prior versions.
Ivanti has patched the security issues in EPM 2024 SU4 SR1, which is available for download through the Ivanti Licensing System (ILS) portal. The update applies to both EPM 2024 SU4 core consoles and remote consoles. Organizations are strongly urged to upgrade to the patched version as soon as possible.
For organizations unable to immediately upgrade recommended mitigations are:
- CVE-2025-10573, isolate the EPM solutions from the internet,
- CVE-2025-13659, only connecti EPM solutions to trusted servers
- CVE-2025-13661 and CVE-2025-13662, only import trusted configuration files as a best practice.
At the time of disclosure, Ivanti claims they were not aware of any customers being exploited by these vulnerabilities.
