Ivanti has released security updates for its Endpoint Manager (EPM) platform after disclosing one critical and three high-severity vulnerabilities that could potentially allow attackers to execute code, write arbitrary files, or hijack administrator sessions.
ZDI Exposes 13 Ivanti Zero-Days Still Unpatched, Leaving Systems Open to Remote Code Execution
The flaws affect EPM 2024 SU4 and all earlier versions, with fixes available in EPM 2024 SU4 SR1.
The most severe issue, CVE-2025-10573, with a CVSS of 9.6, stems from stored cross-site scripting in the product’s core and remote consoles.
“An attacker with unauthenticated access to the primary EPM web service can join fake managed endpoints to the EPM server in order to poison the administrator web dashboard with malicious JavaScript,” explained Ryan Emmons, Staff Security Researcher at Rapid7 in a recent advisory.
“When an Ivanti EPM administrator views one of the poisoned dashboard interfaces during normal usage, that passive user interaction will trigger client-side JavaScript execution, resulting in the attacker gaining control of the administrator’s session.” Rapid7 said its researchers reported the issue in August under responsible disclosure.
Ivanti stated that no exploitation has been observed and emphasized that EPM is not designed to be internet-facing. However, independent scans from sources such as Shadowserver indicate that hundreds of EPM instances remain exposed online.
Three Additional High-Severity Bugs
Ivanti also patched CVE-2025-13659, CVE-2025-13661, and CVE-2025-13662, each rated between CVSS scores of 7.1 and 8.8.
These flaws involve improper handling of dynamically managed code, path traversal, and signature verification failures, respectively.
In some cases, attackers could write arbitrary files or trigger Remote Code Execution (RCE) if a target system connected to an untrusted core server (CVE-2025-13659) or imported untrusted configuration files (CVE-2025-13661 & CVE-2025-13662).
Ivanti published mitigation guidance noting that while exploitation requires user interaction, organizations should still upgrade immediately. Details are available in the Ivanti support portal and vulnerability advisory.
Security teams should also validate whether any EPM components are reachable from the public internet.
