Ivanti has officially released urgent security updates for its Endpoint Manager (EPM) solution to address four distinct security flaws. The latest advisory highlights one critical vulnerability and three high-severity issues that could allow attackers to execute arbitrary code, write files on the server, or bypass security restrictions.
While the company confirmed that it is not aware of any active exploitation of these flaws in the wild at the time of disclosure, administrators are urged to apply the patches immediately to prevent potential attacks.
The vulnerabilities affect Ivanti Endpoint Manager versions 2024 SU4 and prior. To remediate these issues, the vendor has released version 2024 SU4 SR1, which is now available via the Ivanti License System (ILS).
The most severe issue in this update is tracked as CVE-2025-10573, a Stored Cross-Site Scripting (XSS) vulnerability carrying a critical CVSS score of 9.6.
This flaw exists in versions prior to 2024 SU4 SR1 and permits a remote, unauthenticated attacker to execute arbitrary JavaScript within an administrator’s session.
Successful exploitation of this vulnerability requires user interaction, but the potential impact on administrative confidentiality and integrity is significant.
Alongside this critical flaw, Ivanti addressed three high-severity vulnerabilities. CVE-2025-13659 involves improper control of dynamically managed code resources, allowing unauthenticated attackers to write arbitrary files on the server, potentially leading to remote code execution.
The remaining two flaws, CVE-2025-13661 and CVE-2025-13662, relate to path traversal and improper cryptographic signature verification, respectively. Both require user interaction, specifically involving the import of untrusted configuration files.
| CVE Number | Description | Severity | CVSS Score |
|---|---|---|---|
| CVE-2025-10573 | Stored XSS allowing remote unauthenticated attackers to execute arbitrary JavaScript in admin sessions. | Critical | 9.6 |
| CVE-2025-13659 | Improper control of code resources allowing arbitrary file writing and potential RCE. | High | 8.8 |
| CVE-2025-13662 | Improper verification of cryptographic signatures in patch management allowing arbitrary code execution. | High | 7.8 |
| CVE-2025-13661 | Path traversal allowing authenticated attackers to write files outside intended directories. | High | 7.1 |
Mitigations
Ivanti has emphasized specific mitigations for environments where immediate patching might be delayed. Regarding the critical XSS flaw (CVE-2025-10573), the company noted that EPM is not intended to be an internet-facing solution.
Organizations that have ensured their management interface is not exposed to the public internet significantly reduce the risk of this vulnerability.
The discovery of these vulnerabilities was credited to several security researchers working through responsible disclosure channels.
Ivanti acknowledged the contributions of Ryan Emmons from Rapid7 for identifying the critical XSS flaw, Piotr Bazydlo (@chudyPB) of watchTowr for the file writing vulnerability, and researchers working with the Trend Zero Day Initiative for the remaining path traversal and signature verification issues.
Since no known indicators of compromise (IoCs) currently exist, applying the vendor-supplied patch remains the primary defense.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
