Ivanti EPM Update Patches Critical Remote Code Execution Flaw

Ivanti EPM Update Patches Critical Remote Code Execution Flaw

Posted on By CWS

Ivanti on Tuesday introduced patches for 4 vulnerabilities in Endpoint Supervisor (EPM), together with a critical-severity flaw resulting in distant code execution (RCE).

The safety defect, tracked as CVE-2025-10573 (CVSS rating of 9.6), is described as a saved cross-site scripting (XSS) challenge that may be exploited with out authentication.

Offering organizations with distant administration, vulnerability scanning, and administration of linked techniques, Ivanti EPM consists of an API that consumes gadget scan knowledge.

The vital EPM vulnerability permits attackers to submit gadget scan knowledge containing malicious payloads that might be processed and embedded within the internet dashboard, says Rapid7, which found and reported the bug in August.

When an administrator accesses the dashboard interface and views the gadget data, the payload triggers client-side JavaScript execution, permitting the attacker to realize management of the administrator’s session, the corporate explains.

The bug has been addressed with the discharge of Ivanti EPM 2024 SU4 SR1, which additionally addresses three high-severity bugs.

The primary, CVE-2025-13659, is described because the improper management of dynamically managed code assets, which may permit distant, unauthenticated attackers to put in writing arbitrary recordsdata on the server.

Profitable exploitation of the safety defect may result in RCE, however person interplay is required, Ivanti notes in its advisory.Commercial. Scroll to proceed studying.

The second high-severity challenge is CVE-2025-13661, a path traversal flaw that may be exploited remotely to put in writing arbitrary recordsdata exterior of the meant listing. Its exploitation requires authentication.

The third high-severity weak point is described because the “improper verification of cryptographic signatures within the patch administration part” of EPM.

Tracked as CVE-2025-13662, it permits distant, unauthenticated attackers to realize RCE, however requires person interplay.

Ivanti says it isn’t conscious of any of those vulnerabilities being exploited within the wild. Customers are suggested to replace to the most recent variations of Ivanti EPM as quickly as potential.

Associated: Excessive-Severity Vulnerabilities Patched by Ivanti and Zoom

Associated: Excessive-Severity Vulnerabilities Patched by Fortinet and Ivanti

Associated: ZDI Drops 13 Unpatched Ivanti Endpoint Supervisor Vulnerabilities

Associated: CISA Analyzes Malware From Ivanti EPMM Intrusions

Security Week News Tags:, , , , , , , ,

Related Posts

Infostealers: The Silent Smash-and-Grab Driving Modern Cybercrime Infostealers: The Silent Smash-and-Grab Driving Modern Cybercrime Security Week News
CMMC Live: Pentagon Demands Verified Cybersecurity From Contractors CMMC Live: Pentagon Demands Verified Cybersecurity From Contractors Security Week News
Hacker Conversations: Kunal Agarwal and the DNA of a Hacker Hacker Conversations: Kunal Agarwal and the DNA of a Hacker Security Week News
Researchers Expose WHILL Wheelchair Safety Risks via Remote Hacking Researchers Expose WHILL Wheelchair Safety Risks via Remote Hacking Security Week News
Critical Flaw in Popular React Native NPM Package Exposes Developers to Attacks Critical Flaw in Popular React Native NPM Package Exposes Developers to Attacks Security Week News
Compumedics Ransomware Attack Led to Data Breach Impacting 318,000 Compumedics Ransomware Attack Led to Data Breach Impacting 318,000 Security Week News