About:
CVE-2025-10573 is a critical stored cross-site scripting (XSS) vulnerability in Ivanti Endpoint Manager (EPM) caused by improper input neutralization within the web console interface. An unauthenticated attacker can submit crafted payloads (e.g., via device registration fields or data submission forms) that inject malicious JavaScript into stored values. When an administrator views the affected page, the attacker-controlled script executes in the admin context, enabling session hijacking, unauthorized actions, configuration manipulation, or takeover of administrator accounts.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Stored Cross-Site Scripting (XSS) in Ivanti Endpoint Manager (EPM)
CVSS Score: 9.6 (Critical)
Identifier: CVE-2025-10573
Exploit or Proof of Concept (PoC): None at this time
Update:
Ivanti has released security updates that address CVE-2025-10573. Administrators must update to EPM 2024 SU4 SR1 or later.
Official Ivanti advisory with patch details:
Description:
CVE-2025-10573 is caused by improper neutralization of user input within the Ivanti EPM web interface (CWE-79: Improper Neutralization of Input During Web Page Generation). An unauthenticated attacker can submit crafted registration or data-submission payloads that inject JavaScript into stored fields rendered on the administrator dashboard. When an admin opens the compromised page, the attacker-supplied script executes with full administrative context.
Mitigation Recommendation:
Patch Ivanti EPM immediately to version 2024 SU4 SR1 or later as provided in the advisory above.
Restrict access to the EPM web console to trusted administrative networks only.
Enforce MFA and review administrator account permissions; reduce the number of high-privilege accounts.
Review recent endpoint registrations, user-submitted fields, and any unexpected entries that may contain script-like or suspicious payloads.
Inspect administrator activity logs for anomalies, especially unexpected configuration changes or logins following dashboard interactions.