Ivanti EPM Flaw: A Comedy of Errors with Serious Remote Code Risks!
Ivanti warns users of a new Endpoint Manager flaw, CVE-2025-10573, with a CVSS score of 9.6. This vulnerability allows remote code execution via stored XSS, letting attackers hijack admin sessions. Rapid7 researchers urge immediate patching to prevent becoming the accidental star of a cybersecurity horror-comedy.
Hot Take:
Looks like Ivanti’s Endpoint Manager has a new party trick, and it’s not the kind of magic we want to see. With a stored XSS vulnerability that could allow attackers to take over admin sessions, it’s like inviting hackers to a virtual jamboree! Time to patch up that party crasher before things get out of hand.
Key Points:
- The newly disclosed vulnerability, CVE-2025-10573, scores a 9.6 on the CVSS scale – high enough to make your cybersecurity team break out in a sweat.
- This stored XSS flaw enables remote code execution by an unauthenticated attacker, who can exploit it by registering fake endpoints and injecting malicious JavaScript.
- Ivanti Endpoint Manager versions prior to 2024 SU4 SR1 are affected, so admins should scramble for the nearest patch.
- The exploit takes advantage of an unauthenticated incomingdata API that processes unsanitized device scan data, making it ripe for script injection.
- No known wild exploits yet, but with past EPM vulnerabilities making CISA’s KEV catalog, it’s only a matter of time before someone tries their luck.
Already a member? Log in here