American IT software company Ivanti warned customers today to patch a newly disclosed vulnerability in its Endpoint Manager (EPM) solution that could allow attackers to execute code remotely.
Ivanti delivers system and IT asset management solutions to over 40,000 companies via a network of more than 7,000 organizations worldwide. The company's EPM software is an all-in-one endpoint management tool for managing client devices across popular platforms, including Windows, macOS, Linux, Chrome OS, and IoT.
Tracked as CVE-2025-10573, this critical security flaw can be exploited by remote, unauthenticated threat actors to execute arbitrary JavaScript code through low-complexity cross-site scripting attacks that require user interaction.
"An attacker with unauthenticated access to the primary EPM web service can join fake managed endpoints to the EPM server in order to poison the administrator web dashboard with malicious JavaScript," explained Rapid7 staff security researcher Ryan Emmons, who reported the vulnerability in August.
"When an Ivanti EPM administrator views one of the poisoned dashboard interfaces during normal usage, that passive user interaction will trigger client-side JavaScript execution, resulting in the attacker gaining control of the administrator’s session."
Ivanti released EPM version EPM 2024 SU4 SR1 to address the issue, and noted that the risk of this vulnerability should be significantly reduced because the Ivanti EPM solution is not intended to be exposed online.
However, the Shadowserver threat monitoring platform currently tracks hundreds of Internet-facing Ivanti EPM instances, most of which are in the United States (569), Germany (109), and Japan (104).
Ivanti EPMM instances exposed online (Shadowserver)
Today, Ivanti also released security updates to address three high-severity vulnerabilities, two of which (CVE-2025-13659 and CVE-2025-13662) could allow unauthenticated attackers to execute arbitrary code on unpatched systems.
Luckily, successful exploitation also requires user interaction and the targets to either connect to an untrusted core server or import untrusted configuration files.
... continue reading