Ivanti Releases Critical Security Updates for Endpoint Manager to Address Code Execution Vulnerabilities
Ivanti has issued a critical security update for its Endpoint Manager (EPM) software, addressing four significant vulnerabilities that could allow attackers to execute arbitrary code, write files on the server, or bypass security restrictions. Administrators are strongly urged to apply these patches immediately to safeguard their systems.
Overview of Vulnerabilities
The security flaws affect Ivanti Endpoint Manager versions 2024 SU4 and earlier. To mitigate these issues, Ivanti has released version 2024 SU4 SR1, now available through the Ivanti License System (ILS).
Critical Vulnerability: CVE-2025-10573
The most severe of the vulnerabilities, CVE-2025-10573, is a Stored Cross-Site Scripting (XSS) flaw with a CVSS score of 9.6. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary JavaScript within an administrator’s session, potentially compromising administrative confidentiality and integrity. Exploitation requires user interaction but poses a significant risk.
High-Severity Vulnerabilities
In addition to the critical XSS flaw, Ivanti addressed three high-severity vulnerabilities:
– CVE-2025-13659: This issue involves improper control of dynamically managed code resources, enabling unauthenticated attackers to write arbitrary files on the server, which could lead to remote code execution.
– CVE-2025-13661: A path traversal vulnerability that allows authenticated attackers to write files outside intended directories.
– CVE-2025-13662: This flaw pertains to improper verification of cryptographic signatures in patch management, potentially allowing arbitrary code execution.
Mitigation Measures
Ivanti emphasizes that Endpoint Manager is not intended to be an internet-facing solution. Organizations that have ensured their management interface is not exposed to the public internet significantly reduce the risk associated with these vulnerabilities. However, applying the provided patches remains the primary defense.
Acknowledgments
The discovery of these vulnerabilities was credited to several security researchers working through responsible disclosure channels. Ivanti acknowledged the contributions of Ryan Emmons from Rapid7 for identifying the critical XSS flaw, Piotr Bazydlo (@chudyPB) of watchTowr for the file writing vulnerability, and researchers working with the Trend Zero Day Initiative for the remaining path traversal and signature verification issues.
Conclusion
Given the severity of these vulnerabilities, it is imperative for organizations using Ivanti Endpoint Manager to apply the latest security updates without delay. Ensuring that management interfaces are not exposed to the public internet further mitigates potential risks.
