Critical Ivanti Endpoint Manager XSS Flaw Disclosed
Summary
Hide ▲
Show ▼
Ivanti has disclosed a critical stored cross-site scripting (XSS) vulnerability (CVE-2025-10573) in its Endpoint Manager (EPM) solution, allowing unauthenticated remote code execution with user interaction. The flaw affects versions prior to 2024 SU4 SR1 and is mitigated by the solution's typical offline deployment. Ivanti also patched three high-severity vulnerabilities (CVE-2025-13659, CVE-2025-13662) enabling arbitrary code execution under specific conditions. No exploitation has been observed, but Ivanti EPM flaws have been targeted before, including CISA-alerted vulnerabilities in March 2024.
Timeline
-
09.12.2025 19:10 1 articles · 10h ago
Ivanti Endpoint Manager XSS Flaw Disclosed and Patched
Ivanti disclosed a critical XSS flaw (CVE-2025-10573) in Endpoint Manager, enabling unauthenticated remote code execution with user interaction. The flaw affects versions prior to 2024 SU4 SR1 and is mitigated by typical offline deployment. Ivanti also patched three high-severity vulnerabilities (CVE-2025-13659, CVE-2025-13662) requiring user interaction for exploitation. No exploitation has been observed, but Ivanti EPM has been targeted before, including CISA-alerted flaws in March 2024.
Show sources
- Ivanti warns of critical Endpoint Manager code execution flaw — www.bleepingcomputer.com — 09.12.2025 19:10
Information Snippets
-
CVE-2025-10573 is a stored XSS flaw in Ivanti Endpoint Manager allowing remote code execution with user interaction.
First reported: 09.12.2025 19:101 source, 1 articleShow sources
- Ivanti warns of critical Endpoint Manager code execution flaw — www.bleepingcomputer.com — 09.12.2025 19:10
-
The vulnerability affects versions prior to 2024 SU4 SR1 and is mitigated by EPM's typical offline deployment.
First reported: 09.12.2025 19:101 source, 1 articleShow sources
- Ivanti warns of critical Endpoint Manager code execution flaw — www.bleepingcomputer.com — 09.12.2025 19:10
-
Ivanti released patches for three high-severity flaws (CVE-2025-13659, CVE-2025-13662) enabling arbitrary code execution.
First reported: 09.12.2025 19:101 source, 1 articleShow sources
- Ivanti warns of critical Endpoint Manager code execution flaw — www.bleepingcomputer.com — 09.12.2025 19:10
-
Exploitation of the new flaws requires user interaction with untrusted servers or configuration files.
First reported: 09.12.2025 19:101 source, 1 articleShow sources
- Ivanti warns of critical Endpoint Manager code execution flaw — www.bleepingcomputer.com — 09.12.2025 19:10
-
Shadowserver tracks hundreds of Internet-exposed Ivanti EPM instances, primarily in the U.S., Germany, and Japan.
First reported: 09.12.2025 19:101 source, 1 articleShow sources
- Ivanti warns of critical Endpoint Manager code execution flaw — www.bleepingcomputer.com — 09.12.2025 19:10
-
No exploitation of these vulnerabilities has been observed prior to disclosure.
First reported: 09.12.2025 19:101 source, 1 articleShow sources
- Ivanti warns of critical Endpoint Manager code execution flaw — www.bleepingcomputer.com — 09.12.2025 19:10
-
CISA previously alerted on exploited Ivanti EPM flaws (CVE-2024-13159, CVE-2024-13160, CVE-2024-13161) in March 2024.
First reported: 09.12.2025 19:101 source, 1 articleShow sources
- Ivanti warns of critical Endpoint Manager code execution flaw — www.bleepingcomputer.com — 09.12.2025 19:10