Daily Threat Intel by CyberDudeBivash
Zero-days, exploit breakdowns, IOCs, detection rules & mitigation playbooks.

Follow on LinkedInApps & Security Tools

CRITICAL IVANTI FAIL: Hackers Can Hijack Your Entire IT System Via Simple XSS Flaw (Admin Control Alert)

CyberDudeBivash Admin Advisory on CVE-2025-10573 in Ivanti Endpoint Manager (EPM)

TL;DR

Ivanti Endpoint Manager (EPM) has a critical stored cross-site scripting (XSS) vulnerability, tracked as CVE-2025-10573, with a CVSS score of 9.6. An attacker can send crafted device scan data to the EPM server, which gets injected into the admin web dashboard. When an administrator logs in and views the poisoned data, the malicious JavaScript executes with admin context — giving the attacker the ability to hijack the session and perform privileged actions through the admin’s browser. Ivanti has released fixes in EPM 2024 SU4 SR1, and every EPM deployment should be patched immediately. 

Admin Control Alert — Immediate Checklist

• Confirm your EPM version and whether you are on EPM 2024 SU4 SR1 or later.
• If not patched, restrict access to the EPM web console to trusted admin networks only (VPN / jump host).
• Review EPM logs and admin audit trails for suspicious dashboard activity.
• Rotate admin credentials and revoke remembered sessions after patching.
• Enable additional monitoring around Ivanti EPM traffic and admin actions.

What Is This Ivanti XSS Flaw and Why It Matters

Ivanti Endpoint Manager is used to manage large fleets of endpoints, run vulnerability scans, push software, and automate IT operations. That makes its web console one of the most powerful control planes in the enterprise.

In December 2025, Ivanti and independent researchers disclosed a stored cross-site scripting vulnerability in Ivanti EPM, assigned CVE-2025-10573.  The issue lies in how EPM ingests and displays device scan data in the admin web UI:

• An attacker can send crafted device data to EPM’s primary web service.
• This data is stored and later rendered unsafely inside the administrator dashboard.
• Malicious JavaScript runs automatically when the admin views the infected page.

The result: a simple XSS bug becomes a full admin hijack, because the web console is the “remote control” for your entire fleet.

How an Attacker Can Turn This “Simple XSS” into Full Admin Hijack

According to public technical analysis, the vulnerability allows unauthenticated attackers to submit malicious payloads in device scan data that EPM later embeds in the admin dashboard. When the admin views that poisoned entry, the JavaScript executes in the context of the admin’s browser session.

At a high level, the chain looks like this:

1. Malicious device data injected: The attacker feeds specially crafted data into EPM’s device scan API or equivalent input path.
2. Dashboard poisoning: EPM stores this data and later displays it in the admin web UI without proper sanitization or encoding.
3. Admin visits dashboard: An EPM administrator logs in and opens the affected view (devices, reports, etc.).
4. JavaScript executes with admin privileges: The malicious script runs inside the admin’s browser, effectively letting the attacker drive the console as if they were the admin.
5. Full environment control: From there, the attacker can push agents, deploy scripts, collect data, or potentially pivot deeper into the network — all using legitimate EPM functionality.

No direct exploitation of EPM’s backend is required — the attacker “rides” on the administrator’s own session. That is why this is such a serious design-level security failure.

Business Impact: Why This Is an Admin Control Crisis, Not Just a UI Bug

To non-technical leadership, “XSS” often sounds like a minor UI nuisance. In this case, that assumption is dangerously wrong. With Ivanti EPM, the admin console is effectively an orchestration hub for your entire IT stack.

If an attacker hijacks an EPM admin session through XSS, they can potentially:

• Deploy malicious scripts or binaries to hundreds or thousands of endpoints.
• Uninstall or tamper with endpoint protection agents.
• Collect detailed inventory of systems, software, and vulnerabilities.
• Stage ransomware or data exfiltration tools using EPM’s distribution features.
• Alter patching policies, delaying or blocking future fixes.

From a risk perspective, this transforms one web UI flaw into a platform-level compromise with:

• Operational risk: mass endpoint compromise and downtime.
• Regulatory risk: data protection violations if attackers exfiltrate sensitive information.
• Financial risk: incident response, recovery cost, business interruption, potential fines.
• Reputational risk: loss of trust from customers, partners, and regulators.

Which Ivanti EPM Versions Are Affected?

Public advisories note that Ivanti Endpoint Manager 2024 SU4 and below are vulnerable to CVE-2025-10573, a stored XSS flaw with a critical severity rating.  Ivanti has released a fix in EPM 2024 SU4 SR1.

Security vendors and researchers emphasize that this vulnerability should be treated as a high-priority patching item, on par with other critical remote compromise issues affecting infrastructure management products. 

Patch and Mitigation Guide for Ivanti Admins

If you operate Ivanti EPM in production, treat this as an admin control emergency. Your goal is to reduce exposure immediately and then patch as quickly as your change processes allow.

Step 1 — Identify Your EPM Version

• Log into your EPM console.
• Check the “About” page or system information section.
• Confirm whether you are on EPM 2024 SU4 SR1 or a later build.

Step 2 — Apply the Official Ivanti Patch

• Download the latest Ivanti EPM update that includes the fix for CVE-2025-10573.
• Follow Ivanti’s release notes and upgrade guidance for your environment.
• Schedule maintenance windows for production environments.
• Verify that all EPM servers in distributed architectures are updated.

Step 3 — Restrict Who Can Reach the EPM Console

Until fully patched, reduce attack surface:

• Ensure the EPM web console is not exposed directly to the internet.
• Restrict access to a management VLAN or VPN-only networks.
• Use jump hosts or bastion systems for admin access.

Step 4 — Review Admin Activity and Logs

Look for signs of suspicious activity, such as:

• Unexpected new devices or device groups appearing in dashboards.
• Unusual script deployments initiated by admin accounts.
• Logins from unfamiliar IP addresses or geographies.

Step 5 — Reset Sessions and Credentials

• Force logout of all active EPM web sessions.
• Reset passwords for all EPM admin accounts.
• Ensure MFA is enabled for any SSO/IdP integrated with EPM.

Detection and Threat Hunting: What Your SOC Should Watch For

Your SOC and detection engineers should treat EPM dashboard abuse as a potential pivot point in broader attacks. Focus on correlating EPM activity with endpoint and network telemetry.

• Monitor for sudden spikes in EPM-driven software deployments or script executions.
• Alert on new device registrations or scan data from untrusted IP ranges.
• Watch for new or modified EPM admin accounts and role changes.
• Correlate suspicious EPM events with endpoint alerts (lateral movement, credential access, ransomware tooling).

If your environment uses a SIEM or XDR platform, flag Ivanti EPM logs and HTTP access logs as priority sources for correlation whenever critical management-plane vulnerabilities are disclosed.

How CyberDudeBivash Can Help Your Team Respond

CyberDudeBivash Pvt Ltd works with organizations that rely heavily on products like Ivanti EPM, M365, and other IT management platforms. When a vulnerability like CVE-2025-10573 appears, the real question is not just “Is there a patch?” — it is “How fast can we verify, patch, harden, and detect abuse across the entire estate?”

We support organizations with:

• Rapid management-plane risk assessment (EPM, VPNs, M365, identity providers).
• Configuration reviews and hardening of EPM and related tooling.
• Threat hunting and log review to check for historic exploitation attempts.
• Incident response planning for future Ivanti and infrastructure-level zero-days.

To discuss an Ivanti EPM security review or a broader management-plane risk assessment, visit our apps and services hub:
https://cyberdudebivash.com/apps-products

Recommended Security and Training Resources

• Kaspersky Premium – Endpoint Protection for High-Risk Admin Environments
• Edureka Cybersecurity Master Program – SOC, SIEM and Threat Hunting Skills
• Alibaba Cloud Resilience & DR – Hardening Management Planes with Cloud Controls

FAQ: Ivanti XSS Admin Control Alert

Is this just a cosmetic XSS bug?

No. Because the payload executes in the administrator’s browser and the EPM console controls entire endpoint fleets, this can translate into full environment compromise.

Has Ivanti released a patch?

Yes. Ivanti has issued an update in EPM 2024 SU4 SR1 that fixes CVE-2025-10573. Organizations should upgrade as soon as possible and verify that all EPM components are updated. 

Can attackers exploit this without logging into EPM?

Public research indicates that the flaw can be exploited via crafted device scan data reaching the EPM server, which is then rendered to the admin dashboard. The attacker does not need normal console credentials if they can reach the vulnerable input surface.

What if my EPM server is only internally accessible?

That reduces exposure, but does not eliminate it. Insider threats, compromised internal accounts, or VPN breaches could still be leveraged. You should still patch and monitor.

#CyberDudeBivash #Ivanti #CVE202510573 #EndpointSecurity #AdminSecurity #XSSAttack #PatchNow #ThreatIntel