While the company confirmed that it is not aware of any active exploitation of these flaws in the wild at the time of disclosure, administrators are urged to apply the patches immediately to prevent potential attacks.
The vulnerabilities affect Ivanti Endpoint Manager versions 2024 SU4 and prior. To remediate these issues, the vendor has released version 2024 SU4 SR1, which is now available via the Ivanti License System (ILS).
The most severe issue in this update is tracked as CVE-2025-10573, a Stored Cross-Site Scripting (XSS) vulnerability carrying a critical CVSS score of 9.6.
This flaw exists in versions prior to 2024 SU4 SR1 and permits a remote, unauthenticated attacker to execute arbitrary JavaScript within an administrator’s session.
Successful exploitation of this vulnerability requires user interaction, but the potential impact on administrative confidentiality and integrity is significant.
Alongside this critical flaw, Ivanti addressed three high-severity vulnerabilities. CVE-2025-13659 involves improper control of dynamically managed code resources, allowing unauthenticated attackers to write arbitrary files on the server, potentially leading to remote code execution.
The remaining two flaws, CVE-2025-13661 and CVE-2025-13662, relate to path traversal and improper cryptographic signature verification, respectively. Both require user interaction, specifically involving the import of untrusted configuration files.
| CVE Number | Description | Severity | CVSS Score |
|---|---|---|---|
| CVE-2025-10573 | Stored XSS allowing remote unauthenticated attackers to execute arbitrary JavaScript in admin sessions. | Critical | 9.6 |
| CVE-2025-13659 | Improper control of code resources allowing arbitrary file writing and potential RCE. | High | 8.8 |
| CVE-2025-13662 | Improper verification of cryptographic signatures in patch management allowing arbitrary code execution. | High | 7.8 |
| CVE-2025-13661 | Path traversal allowing authenticated attackers to write files outside intended directories. | High | 7.1 |
Ivanti has emphasized specific mitigations for environments where immediate patching might be delayed. Regarding the critical XSS flaw (CVE-2025-10573), the company noted that EPM is not intended to be an internet-facing solution.
Organizations that have ensured their management interface is not exposed to the public internet significantly reduce the risk of this vulnerability.
The discovery of these vulnerabilities was credited to several security researchers working through responsible disclosure channels.
Ivanti acknowledged the contributions of Ryan Emmons from Rapid7 for identifying the critical XSS flaw, Piotr Bazydlo (@chudyPB) of watchTowr for the file writing vulnerability, and researchers working with the Trend Zero Day Initiative for the remaining path traversal and signature verification issues.
Since no known indicators of compromise (IoCs) currently exist, applying the vendor-supplied patch remains the primary defense.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Ivanti Security Update: Patch for Code Execution Vulnerabilities in Endpoint Manager appeared first on Cyber Security News.
Christopher Nolan has confirmed a casting twist for his upcoming “mythic action epic,” The Odyssey.…
Christopher Nolan has confirmed a casting twist for his upcoming “mythic action epic,” The Odyssey.…
For this week only, Best Buy is offering a rare deal on a compact convertible…
Microsoft’s May 2026 Patch Tuesday lands with a heavy enterprise focus, fixing 120 vulnerabilities across…
Fortinet released security advisories on May 12, 2026, addressing five vulnerabilities spanning its wireless access…
A critical security flaw in Fortinet’s FortiSandbox platform is putting enterprise networks at serious risk,…
This website uses cookies.