Critical Ivanti EPM Flaw (CVE-2025-10573) Risks Admin Session Hijack and Unauthenticated RCE
Ddos 
Ivanti has rolled out an urgent security update for its Endpoint Manager (EPM) solution, patching a cluster of severe vulnerabilities that could allow attackers to execute arbitrary code or hijack administrator sessions. The update addresses four distinct flaws, including one critical issue carrying a near-maximum severity score.
The most severe vulnerability, tracked as CVE-2025-10573, is a Stored Cross-Site Scripting (XSS) flaw with a CVSS score of 9.6. This vulnerability affects EPM versions prior to 2024 SU4 SR1.
According to the advisory, the flaw “allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session”. While user interaction is required—likely tricking an admin into viewing a malicious page—the potential for full session hijacking makes this a top priority for defenders.
Alongside the critical XSS bug, Ivanti patched three high-severity vulnerabilities that expose the system to Remote Code Execution (RCE) and unauthorized file manipulation:
- Arbitrary File Write (CVE-2025-13659): Rated CVSS 8.8, this flaw involves the “improper control of dynamically managed code resources,” allowing a remote, unauthenticated attacker to write arbitrary files to the server. This could potentially lead to remote code execution.
- Signature Verification Failure (CVE-2025-13662): With a CVSS score of 7.8, this vulnerability stems from “improper verification of cryptographic signatures in the patch management component.” It allows remote unauthenticated attackers to execute arbitrary code, though it requires user interaction.
- Path Traversal (CVE-2025-13661): This issue (CVSS 7.1) allows an authenticated attacker to “write arbitrary files outside of the intended directory,” potentially compromising system integrity.
The vulnerabilities affect Ivanti Endpoint Manager 2024 SU4 and prior versions. Ivanti has released 2024 SU4 SR 1 to resolve these issues.
While Ivanti states they are “not aware of any customers being exploited by these vulnerabilities at the time of disclosure,” they strongly advise customers to update immediately.
For organizations unable to patch right away, Ivanti suggests reviewing their network exposure. Regarding the critical XSS flaw, the advisory notes: “Ivanti EPM is not intended to be an internet-facing solution. If customers have not exposed their solution to the internet, the risk of this vulnerability is significantly reduced” .
Additionally, administrators are warned to verify the sources of their connections and files. Exploitation of the file-writing and signature verification flaws relies on connecting to “an untrusted core server” or importing “untrusted configuration files”.
Related Posts:
- Ivanti Patches Two High-Severity RCE Flaws in Endpoint Manager
- Ivanti Endpoint Manager Discloses 13 Flaws: High-Severity RCE and 11 SQL Injection Vulnerabilities
- Ivanti Issues Patch for Critical Vulnerabilities in Endpoint Manager, Including CVE-2024-29847 (CVSS 10.0)
- Ivanti Connect Secure, Policy Secure and Secure Access Client Affected by Critical Vulnerabilities
Donate