Critical Remote Code Execution Vulnerability in Ivanti Endpoint Manager (CVE-2025-10573)
Ivanti has disclosed a critical vulnerability (CVE-2025-10573) in its Endpoint Manager (EPM) software, which allows unauthenticated remote attackers to execute arbitrary JavaScript code via a stored cross-site scripting (XSS) attack. The flaw enables attackers to register fake managed endpoints to the EPM server, thereby injecting malicious JavaScript into the administrator web dashboard. When an administrator interacts with the compromised dashboard, the attacker can hijack the session and potentially gain full control over the EPM environment. Ivanti has released a patch (EPM 2024 SU4 SR1) to address this issue and strongly urges customers to update, especially since hundreds of EPM instances are exposed to the internet, increasing the risk of exploitation.
The vulnerability, assigned a CVSS score of 9.6, affects EPM versions 2024 SU4 and below. Security researchers at Rapid7, who discovered and reported the flaw, emphasize the urgency of patching due to the unauthenticated nature of the attack vector. Ivanti EPM is widely used for endpoint management, remote administration, and compliance, making it a high-value target for attackers. In addition to CVE-2025-10573, Ivanti has also released fixes for three other high-severity vulnerabilities in the same update cycle. Security teams are advised to apply the latest patches immediately and review the exposure of EPM instances to the internet to mitigate the risk of compromise.
Sources
4 more from sources like rapid7 blog, securityaffairs, bleeping computer and cyber security news
Related Stories
Multiple High-Severity Vulnerabilities in Ivanti Endpoint Manager Including Remote Code Execution and SQL Injection
Ivanti Endpoint Manager has been found to contain a total of 13 security vulnerabilities, including high-severity remote code execution (RCE) and 11 SQL injection flaws. Security researchers disclosed that these vulnerabilities could allow attackers to compromise systems managed by Ivanti Endpoint Manager, a widely used enterprise IT management solution. Among the most critical issues is CVE-2025-9713, which enables remote, unauthenticated attackers to achieve code execution through a path traversal flaw, provided user interaction occurs. The CVSS score for this vulnerability is 8.8, indicating a high risk to organizations using affected versions. The vulnerabilities were publicly disclosed in mid-October 2025, prompting urgent attention from security teams. The SQL injection vulnerabilities could allow attackers to manipulate backend databases, potentially leading to data exfiltration or further compromise of the management infrastructure. The RCE flaw, in particular, poses a significant threat as it could be exploited remotely, increasing the attack surface for threat actors. Ivanti has not yet published a comprehensive list of affected product versions, but the risk profile suggests that a broad range of deployments may be impacted. Security advisories recommend immediate review of Ivanti Endpoint Manager deployments and the application of any available patches or mitigations. Organizations are urged to monitor for signs of exploitation and to implement network segmentation to limit potential lateral movement. The vulnerabilities highlight the ongoing risks associated with enterprise management platforms, which often have elevated privileges across corporate environments. No reports of active exploitation have been confirmed at the time of disclosure, but the technical details suggest that exploitation would be feasible for skilled attackers. The disclosure underscores the importance of timely vulnerability management and the need for robust monitoring of critical IT infrastructure. Security teams should prioritize patching and consider additional controls such as application whitelisting and enhanced logging. The incident serves as a reminder of the potential impact of vulnerabilities in widely deployed enterprise software. Given the severity and nature of the flaws, organizations should treat this as a high-priority security event. The situation remains dynamic as further technical details and remediation guidance are expected from Ivanti and the security community.
5 months agoMultiple Remote Code Execution Vulnerabilities in Ivanti Endpoint Manager
Ivanti Endpoint Manager has been found to contain several critical vulnerabilities that could allow remote code execution (RCE) by attackers. The Zero Day Initiative (ZDI) disclosed thirteen vulnerabilities affecting undisclosed versions of Ivanti Endpoint Manager, with several remaining unpatched at the time of disclosure. Among these, ZDI-25-935 is particularly severe, enabling a remote, unauthenticated attacker to achieve RCE if they can trick a user into visiting a malicious webpage or opening a malicious file. Alternatively, attackers with administrative credentials can exploit this vulnerability without user interaction. This flaw arises from improper validation of user-supplied paths in the OnSaveToDB method, resulting in a path traversal vulnerability. Another significant vulnerability, ZDI-25-952 (CVE-2025-9872), involves the UniqueFilename attribute, where insufficient validation allows unrestricted file uploads. Exploitation of this flaw enables attackers to execute arbitrary code in the context of the NETWORK SERVICE account, again requiring either user interaction or administrative credentials. The CVSS score for these vulnerabilities is high, with ZDI-25-935 and ZDI-25-952 both rated at 8.8, indicating a critical risk to organizations using affected versions of Ivanti Endpoint Manager. Additional vulnerabilities, such as ZDI-25-936 and ZDI-25-947, involve SQL injection and privilege escalation, further increasing the attack surface. The SQL injection vulnerabilities stem from improper validation of user-supplied strings in the Report_Run and Report_Run2 classes, allowing attackers to execute code as the service account. Ivanti has responded by issuing updates to address at least some of these vulnerabilities, specifically releasing a patch for CVE-2025-9872. The vulnerabilities were reported to Ivanti in June 2025, with coordinated public disclosure occurring in October 2025. Attackers exploiting these flaws could gain significant control over affected systems, potentially leading to data theft, lateral movement, or disruption of endpoint management operations. Organizations are strongly advised to identify Ivanti Endpoint Manager installations within their networks and apply the latest security updates as soon as possible. The vulnerabilities highlight the importance of robust input validation and secure file handling in enterprise software. Security teams should also review user privileges and monitor for suspicious activity related to file uploads or unusual database queries. Given the critical nature of these vulnerabilities and the potential for exploitation, prompt remediation and heightened vigilance are essential for organizations relying on Ivanti Endpoint Manager.
5 months ago
Ivanti Endpoint Manager Authentication Bypass and SQL Injection Vulnerabilities
Ivanti released security updates for *Endpoint Manager (EPM)* to fix two vulnerabilities affecting **EPM 2024 SU4 SR1 and earlier**: **CVE-2026-1603** (CVSS 8.6) and **CVE-2026-1602** (CVSS 6.5). CVE-2026-1603 is an **authentication bypass** that can be exploited by a **remote, unauthenticated** attacker to access/leak specific **stored credential data**, creating a high-risk path to credential exposure and follow-on compromise in environments where EPM operates with elevated privileges across endpoints. CVE-2026-1602 is a **SQL injection** issue that requires **authentication** and can allow a remote authenticated attacker to **read arbitrary data from the EPM database**, driving confidentiality risk (data leakage) rather than integrity/availability impact. The fixed release is **EPM 2024 SU5**, and the update also addresses **11 medium-severity vulnerabilities** previously disclosed in October 2025; organizations running affected versions were advised to patch immediately due to the platform’s central role in enterprise endpoint administration.
1 months ago