Ivanti EPM Update Patches Critical Remote Code Execution Flaw

Ivanti EPM Update Patches Critical Remote Code Execution Flaw

Posted on By CWS

Ivanti on Tuesday introduced patches for 4 vulnerabilities in Endpoint Supervisor (EPM), together with a critical-severity flaw resulting in distant code execution (RCE).

The safety defect, tracked as CVE-2025-10573 (CVSS rating of 9.6), is described as a saved cross-site scripting (XSS) challenge that may be exploited with out authentication.

Offering organizations with distant administration, vulnerability scanning, and administration of linked techniques, Ivanti EPM consists of an API that consumes gadget scan knowledge.

The vital EPM vulnerability permits attackers to submit gadget scan knowledge containing malicious payloads that might be processed and embedded within the internet dashboard, says Rapid7, which found and reported the bug in August.

When an administrator accesses the dashboard interface and views the gadget data, the payload triggers client-side JavaScript execution, permitting the attacker to realize management of the administrator’s session, the corporate explains.

The bug has been addressed with the discharge of Ivanti EPM 2024 SU4 SR1, which additionally addresses three high-severity bugs.

The primary, CVE-2025-13659, is described because the improper management of dynamically managed code assets, which may permit distant, unauthenticated attackers to put in writing arbitrary recordsdata on the server.

Profitable exploitation of the safety defect may result in RCE, however person interplay is required, Ivanti notes in its advisory.Commercial. Scroll to proceed studying.

The second high-severity challenge is CVE-2025-13661, a path traversal flaw that may be exploited remotely to put in writing arbitrary recordsdata exterior of the meant listing. Its exploitation requires authentication.

The third high-severity weak point is described because the “improper verification of cryptographic signatures within the patch administration part” of EPM.

Tracked as CVE-2025-13662, it permits distant, unauthenticated attackers to realize RCE, however requires person interplay.

Ivanti says it isn’t conscious of any of those vulnerabilities being exploited within the wild. Customers are suggested to replace to the most recent variations of Ivanti EPM as quickly as potential.

Associated: Excessive-Severity Vulnerabilities Patched by Ivanti and Zoom

Associated: Excessive-Severity Vulnerabilities Patched by Fortinet and Ivanti

Associated: ZDI Drops 13 Unpatched Ivanti Endpoint Supervisor Vulnerabilities

Associated: CISA Analyzes Malware From Ivanti EPMM Intrusions

Security Week News Tags:, , , , , , , ,

Related Posts

Cisco SD-WAN Vulnerability Exploitation Grows Rapidly Cisco SD-WAN Vulnerability Exploitation Grows Rapidly Security Week News
Allure Security Secures M for Brand Protection Allure Security Secures $17M for Brand Protection Security Week News
Nike Probing Potential Security Incident as Hackers Threaten to Leak Data Nike Probing Potential Security Incident as Hackers Threaten to Leak Data Security Week News
In Other News: Critical Zoom Flaw, City’s Water Threatened by Hack, 0 Billion OT Cyber Risk In Other News: Critical Zoom Flaw, City’s Water Threatened by Hack, $330 Billion OT Cyber Risk Security Week News
Cyber Insights 2026: External Attack Surface Management Cyber Insights 2026: External Attack Surface Management Security Week News
Ivanti Patches Two EPMM Zero-Days Exploited to Hack Customers Ivanti Patches Two EPMM Zero-Days Exploited to Hack Customers Security Week News