Critical Ivanti EPM Vulnerability Allows Admin Session Hijacking via Stored XSS

Posted on By CWS

A critical stored cross-site scripting vulnerability in Ivanti Endpoint Manager (“EPM”) versions 2024 SU4 and below, that could enable attackers to hijack administrator sessions without authentication.

The vulnerability, identified as CVE-2025-10573, has been assigned a CVSS score of 9.6 and patched on December 9, 2025, with the release of Ivanti EPM version 2024 SU4 SR1.

An attacker with unauthenticated access to the primary EPM web service can join fake managed endpoints to the EPM server. Poisoning the administrator’s web dashboard with malicious JavaScript.

When an Ivanti EPM administrator views the contaminated dashboard during normal operations.

AttributeDetailsCVE IDCVE-2025-10573Vulnerability TypeStored Cross-Site Scripting (XSS)CVSS Score9.6Affected ProductIvanti Endpoint Manager (EPM)Affected VersionsEPM 2024 SU4 and below

The passive user interaction triggers client-side JavaScript execution, granting the attacker complete control of the administrator’s session.

The vulnerability stems from the ‘incomingdata’ web API, which processes device scan data without proper input validation.

Attackers can submit malicious payloads through this unauthenticated endpoint. These are then stored in the device database and rendered safely in the administrator dashboard interface.

An unauthenticated attacker can craft a POST request to the ‘/incomingdata/postcgi.exe’ endpoint. It contains XSS payloads embedded in device scan fields such as Device ID, Display Name, or OS Name.

These payloads are automatically processed and added to the device database without sanitization. When administrators access web dashboard pages displaying device information.

Including ‘frameset.aspx’ and ‘db_frameset.aspx’, the malicious scripts execute in their browsers.

Ivanti EPM is a widely deployed endpoint management software used by organizations for remote administration, vulnerability scanning, and compliance management.

Successful exploitation enables attackers to remotely control endpoints and install unauthorized software, making this vulnerability particularly dangerous.

According to Rapid7, Organizations should immediately upgrade to Ivanti EPM version 2024 SU4 SR1. Because this vulnerability is unauthenticated, patching affected instances as soon as possible is critical.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

Cyber Security News Tags:, , , , , , , ,

Related Posts

New QUIC-LEAK Vulnerability Let Attackers Exhaust Server Memory and Trigger DoS Attack Cyber Security News
Hackers Exploit AI Tools Misconfiguration To Run Malicious AI-generated Payloads Cyber Security News
New North Korean IT Worker With Innocent Job Application Get Access to Organization’s Network Cyber Security News
BlackHat AI Hacking Tool WormGPT Variant Powered by Grok and Mixtral Cyber Security News
Scripted Sparrow Uses Automation to Generate and Send their Attack Messages Cyber Security News
New Domain-fronting Attack Uses Google Meet, YouTube, Chrome and GCP to Tunnel Traffic Cyber Security News