vulnerability
Ivanti EPM: CVE-2025-10573: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | Dec 9, 2025 | Dec 9, 2025 | Dec 9, 2025 |
Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
Dec 9, 2025
Added
Dec 9, 2025
Modified
Dec 9, 2025
Description
Ivanti Endpoint Manager (“EPM”) versions 2024 SU4 and below are vulnerable to stored cross-site scripting (“XSS”).
An attacker with unauthenticated access to the primary EPM web service can join fake managed endpoints to the EPM server
in order to poison the administrator web dashboard with malicious JavaScript.
When an Ivanti EPM administrator views one of the poisoned dashboard interfaces during normal usage,
that passive user interaction will trigger client-side JavaScript execution, resulting in the attacker gaining control of the administrator’s session.
An attacker with unauthenticated access to the primary EPM web service can join fake managed endpoints to the EPM server
in order to poison the administrator web dashboard with malicious JavaScript.
When an Ivanti EPM administrator views one of the poisoned dashboard interfaces during normal usage,
that passive user interaction will trigger client-side JavaScript execution, resulting in the attacker gaining control of the administrator’s session.
Solution
ivanti-epm-2024-upgrade-latest
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.