Ivanti has released urgent patches for a critical code execution vulnerability in its Endpoint Manager (EPM) platform, tracked as CVE202510573 (CVSS 9.6). The flaw allows unauthenticated, remote attackers to perform low-complexity cross-site scripting (XSS) attacks that require minimal user interaction, potentially compromising administrative sessions and leading to code execution. 

Vulnerabilities 

  • CVE202510573 (Stored XSS – Critical, CVSS 9.6) 
    An unauthenticated actor can inject malicious JavaScript by registering a fake managed endpoint. When an administrator views the poisoned dashboard, the script is executed, enabling session hijacking and arbitrary code execution.  
  • CVE202513659 (High, CVSS 8.8) 
    Improper control of dynamically-managed code resources allows unauthenticated attackers to write arbitrary files to the server, which could lead to RCE. User interaction required.  
  • CVE202513661 (High, CVSS 7.1) 
    Path traversal vulnerability permits authenticated attackers to write files outside intended directories, potentially compromising system integrity.  
  • CVE202513662 (High, CVSS 7.8) 
    Inadequate verification of cryptographic signatures in the patch management component allows unauthenticated attackers to execute code; user interaction required. 

Impact 

  • Administrative session hijack and full code execution – Malicious JavaScript can give attackers direct control as admins via a poisoned dashboard.  
  • Server compromise – Arbitrary file writes and signature bypass can lead to remote code execution.  
  • Remote, unauthenticated attacks – All of these flaws can be triggered over the network without valid credentials.  
  • Internet-exposed panoramas – Shadowserver reports 569 internet-facing instances in the U.S., 109 in Germany, and 104 in Japan, increasing the threat of exploitation 

IR CTA

 

Recommendations 

Patch Immediately 

Upgrade to Ivanti EPM 2024 SU4 SR1 or later without delay. 

  • Reduce Exposure - Do not expose EPM’s administrative interface directly to the internet.  
  • Validate Server Trust - Enforce internal network segmentation and only connect EPM to trusted core servers. 
  • User Awareness - Educate admins about avoiding dashboard interactions with untrusted endpoints. 
  • Monitor & Log - Enable full logging around dashboard access, configuration imports, and file operations to detect suspicious activity. 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

 

Contact Us