A critical stored cross-site scripting vulnerability in Ivanti Endpoint Manager (“EPM”) versions 2024 SU4 and below, that could enable attackers to hijack administrator sessions without authentication.
The vulnerability, identified as CVE-2025-10573, has been assigned a CVSS score of 9.6 and patched on December 9, 2025, with the release of Ivanti EPM version 2024 SU4 SR1.
An attacker with unauthenticated access to the primary EPM web service can join fake managed endpoints to the EPM server. Poisoning the administrator’s web dashboard with malicious JavaScript.
When an Ivanti EPM administrator views the contaminated dashboard during normal operations.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-10573 |
| Vulnerability Type | Stored Cross-Site Scripting (XSS) |
| CVSS Score | 9.6 |
| Affected Product | Ivanti Endpoint Manager (EPM) |
| Affected Versions | EPM 2024 SU4 and below |
The passive user interaction triggers client-side JavaScript execution, granting the attacker complete control of the administrator’s session.
The vulnerability stems from the ‘incomingdata’ web API, which processes device scan data without proper input validation.
Attackers can submit malicious payloads through this unauthenticated endpoint. These are then stored in the device database and rendered safely in the administrator dashboard interface.
An unauthenticated attacker can craft a POST request to the ‘/incomingdata/postcgi.exe’ endpoint. It contains XSS payloads embedded in device scan fields such as Device ID, Display Name, or OS Name.
These payloads are automatically processed and added to the device database without sanitization. When administrators access web dashboard pages displaying device information.
Including ‘frameset.aspx’ and ‘db_frameset.aspx’, the malicious scripts execute in their browsers.
Ivanti EPM is a widely deployed endpoint management software used by organizations for remote administration, vulnerability scanning, and compliance management.
Successful exploitation enables attackers to remotely control endpoints and install unauthorized software, making this vulnerability particularly dangerous.
According to Rapid7, Organizations should immediately upgrade to Ivanti EPM version 2024 SU4 SR1. Because this vulnerability is unauthenticated, patching affected instances as soon as possible is critical.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
