CVE-2025-10573
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in Ivanti Endpoint Manager allows unauthenticated remote attackers to inject malicious JavaScript that executes when administrators view compromised pages. Attackers can hijack administrator sessions, potentially gaining full control of the endpoint management system. Organizations using Ivanti Endpoint Manager versions prior to 2024 SU4 SR1 are affected.
💻 Affected Systems
- Ivanti Endpoint Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the endpoint management system leading to lateral movement across the network, deployment of malware to all managed endpoints, and credential theft from administrators.
Likely Case
Session hijacking of administrator accounts leading to unauthorized access to endpoint management functions, potential data exfiltration, and limited system modifications.
If Mitigated
Isolated impact limited to the endpoint management console with no lateral movement due to network segmentation and proper access controls.
🎯 Exploit Status
Stored XSS vulnerabilities typically have low exploitation complexity once the injection point is identified. The requirement for administrator interaction adds a step but doesn't significantly increase complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024 SU4 SR1
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024
Restart Required: Yes
Instructions:
1. Download Ivanti Endpoint Manager 2024 SU4 SR1 from the Ivanti support portal. 2. Backup current configuration and database. 3. Run the installer with administrative privileges. 4. Restart the Ivanti Endpoint Manager services. 5. Verify successful update through the console.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation and output encoding for user-controllable data in the affected components
Content Security Policy
allImplement strict Content Security Policy headers to restrict script execution
🧯 If You Can't Patch
- Implement network segmentation to isolate the Ivanti Endpoint Manager console from general user networks
- Enforce strict access controls and multi-factor authentication for all administrator accounts
🔍 How to Verify
Check if Vulnerable:
Check the Ivanti Endpoint Manager version in the console under Help > About. If version is earlier than 2024 SU4 SR1, the system is vulnerable.Check Version:
In Ivanti EPM console: Navigate to Help > About to view version informationVerify Fix Applied:
After patching, verify the version shows 2024 SU4 SR1 or later in the console. Test XSS payloads in previously vulnerable input fields to confirm sanitization.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript payloads in HTTP requests
- Multiple failed login attempts followed by successful login from same IP
- Administrator session tokens being used from unexpected locations
Network Indicators:
- HTTP requests containing script tags or JavaScript functions to Ivanti EPM endpoints
- Unusual outbound connections from the EPM server
SIEM Query:
source="ivanti_epm" AND (http_request CONTAINS "<script>" OR http_request CONTAINS "javascript:" OR http_request CONTAINS "onerror=" OR http_request CONTAINS "onload=")