Ivanti warns of a critical EPM flaw that lets attackers hijack admin sessions. Hundreds of systems exposed. Patch to CVE-2025-10573 now.

Continue reading
Ivanti has released an urgent patch for a critical stored cross-site scripting vulnerability in Endpoint Manager that allows unauthenticated attackers to hijack administrator sessions and take control of managed environments. The flaw, tracked as CVE-2025-10573, carries a CVSS score of 9.6 and was patched on December 9 in Ivanti EPM 2024 SU4 SR1.
Although there is no confirmed evidence of active exploitation, the combination of low attack complexity and widespread internet exposure makes immediate remediation essential.
The vulnerability exists in an unauthenticated API endpoint that accepts device scan data. An attacker can submit a malicious scan payload containing JavaScript. That input is stored and later rendered unsafely in the EPM administrator web dashboard. When an administrator opens the dashboard, the embedded script executes in the administrator’s browser and can grant the attacker complete administrative control.
The chain of events requires only one passive step from an administrator: viewing the compromised dashboard. No prior authentication is necessary to inject the payload, and no complex interaction is needed from the admin beyond loading the page.
Exploitation yields the same privileges as a compromised administrator. In Endpoint Manager, those privileges enable remote administration, software deployment, and vulnerability management across Windows, macOS, Linux, and other platforms. In practical terms, a successful exploit can lead to full network compromise.
Ivanti’s guidance states EPM is not intended to be internet-facing. Real-world telemetry shows otherwise. Hundreds of EPM instances are reachable from the public internet, with notable concentrations in the United States, Germany, and Japan. That misconfiguration amplifies risk and simplifies attackers’ ability to reach vulnerable targets.
The only complete remediation is to install Ivanti EPM 2024 SU4 SR1. Ivanti also released fixes for multiple other high-severity issues in the same update.
Until systems are patched, apply the following mitigations:
• Immediately remove public internet access to management consoles. • Restrict access to EPM servers to trusted administrative networks only. • Implement network segmentation and firewall rules to limit exposure. • Apply web application controls that block suspicious POST traffic to the `/incomingdata` endpoint.
This disclosure follows a string of critical EPM vulnerabilities documented earlier in the year. Those prior issues were linked to active exploitation, and federal agencies were advised to prioritize patching. Given the history and the low effort required to weaponize stored XSS against administrators, organizations should treat this advisory as a high priority.
A single administrator click is all an attacker needs to gain full administrative control of an exposed EPM instance. Given the scale of internet-facing systems and the critical role EPM plays in endpoint management, applying the update and removing public exposure are the most decisive actions defenders can take.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation