Article Title: Critical Ivanti Endpoint Manager Vulnerability Enables Admin Session Hijacking via Stored XSS
A critical security flaw has been identified in Ivanti Endpoint Manager (EPM) versions 2024 SU4 and earlier, posing a significant risk to organizations utilizing this software for endpoint management. The vulnerability, designated as CVE-2025-10573, is a stored cross-site scripting (XSS) issue that could allow unauthenticated attackers to hijack administrator sessions, potentially leading to full system compromise.
Vulnerability Overview
CVE-2025-10573 has been assigned a CVSS score of 9.6, reflecting its high severity. The flaw resides in the ‘incomingdata’ web API of Ivanti EPM, which processes device scan data without adequate input validation. This oversight enables attackers to inject malicious JavaScript code into the system.
Exploitation Mechanism
An unauthenticated attacker can exploit this vulnerability by submitting a specially crafted POST request to the ‘/incomingdata/postcgi.exe’ endpoint. This request includes XSS payloads embedded in device scan fields such as Device ID, Display Name, or OS Name. Due to insufficient sanitization, these payloads are stored in the device database. When an administrator accesses the web dashboard pages displaying this device information, the malicious scripts execute in their browser, leading to session hijacking.
Potential Impact
Successful exploitation of this vulnerability grants attackers the ability to:
– Gain unauthorized access to the EPM system.
– Execute arbitrary commands with administrative privileges.
– Deploy malware or unauthorized software across managed endpoints.
– Exfiltrate sensitive data from the network.
Given the widespread use of Ivanti EPM for remote administration, vulnerability scanning, and compliance management, this flaw poses a substantial threat to organizational security.
Mitigation Measures
Ivanti has addressed this vulnerability with the release of EPM version 2024 SU4 SR1 on December 9, 2025. Organizations are strongly advised to:
1. Update Immediately: Upgrade to Ivanti EPM version 2024 SU4 SR1 to remediate the vulnerability.
2. Review Access Controls: Ensure that only authorized personnel have access to the EPM web interface.
3. Monitor System Logs: Regularly inspect logs for unusual activities that may indicate exploitation attempts.
4. Educate Administrators: Train staff to recognize and report suspicious behavior within the EPM dashboard.
Conclusion
The discovery of CVE-2025-10573 underscores the critical importance of proactive vulnerability management and timely software updates. Organizations utilizing Ivanti EPM must act swiftly to apply the necessary patches and implement robust security practices to safeguard their systems against potential exploitation.
