Critical Ivanti Endpoint Manager Vulnerability Enables Admin Session Hijacking via Stored XSS
A critical security flaw has been identified in Ivanti Endpoint Manager (EPM) versions 2024 SU4 and earlier, posing a significant risk to organizations utilizing this software for endpoint management. The vulnerability, designated as CVE-2025-10573, is a stored cross-site scripting (XSS) issue that allows unauthenticated attackers to hijack administrator sessions, potentially leading to full system compromise.
Vulnerability Overview
CVE-2025-10573 has been assigned a CVSS score of 9.6, reflecting its high severity. The flaw resides in the ‘incomingdata’ web API of Ivanti EPM, which processes device scan data without adequate input validation. This oversight enables attackers to inject malicious JavaScript payloads into the system.
Exploitation Mechanism
Attackers can exploit this vulnerability by sending crafted POST requests to the ‘/incomingdata/postcgi.exe’ endpoint. These requests contain XSS payloads embedded in device scan fields such as Device ID, Display Name, or OS Name. Due to insufficient sanitization, these malicious scripts are stored in the device database. When an administrator accesses the web dashboard pages displaying this device information, the scripts execute in their browser, granting the attacker control over the administrator’s session.
Potential Impact
Successful exploitation of this vulnerability allows attackers to:
– Gain unauthorized access to the EPM system.
– Execute arbitrary commands with administrative privileges.
– Deploy malware or unauthorized software across managed endpoints.
– Exfiltrate sensitive data from the organization’s network.
Given the widespread use of Ivanti EPM for remote administration, vulnerability scanning, and compliance management, this flaw presents a substantial threat to organizational security.
Mitigation Measures
Ivanti has addressed this vulnerability in the release of EPM version 2024 SU4 SR1 on December 9, 2025. Organizations are strongly advised to:
1. Update Software: Immediately upgrade to Ivanti EPM version 2024 SU4 SR1 to remediate the vulnerability.
2. Review Access Controls: Ensure that access to the EPM web service is restricted to authorized personnel only.
3. Monitor System Logs: Regularly review logs for any unusual activity that may indicate exploitation attempts.
4. Educate Administrators: Train administrators to recognize signs of compromise and to follow best practices for secure system management.
Conclusion
The discovery of CVE-2025-10573 underscores the critical importance of timely software updates and vigilant security practices. Organizations utilizing Ivanti EPM must act swiftly to apply the necessary patches and implement robust security measures to protect against potential exploits.
