Ivanti on Tuesday introduced patches for 4 vulnerabilities in Endpoint Supervisor (EPM), together with a critical-severity flaw resulting in distant code execution (RCE).
The safety defect, tracked as CVE-2025-10573 (CVSS rating of 9.6), is described as a saved cross-site scripting (XSS) challenge that may be exploited with out authentication.
Offering organizations with distant administration, vulnerability scanning, and administration of linked techniques, Ivanti EPM consists of an API that consumes gadget scan knowledge.
The vital EPM vulnerability permits attackers to submit gadget scan knowledge containing malicious payloads that might be processed and embedded within the internet dashboard, says Rapid7, which found and reported the bug in August.
When an administrator accesses the dashboard interface and views the gadget data, the payload triggers client-side JavaScript execution, permitting the attacker to realize management of the administrator’s session, the corporate explains.
The bug has been addressed with the discharge of Ivanti EPM 2024 SU4 SR1, which additionally addresses three high-severity bugs.
The primary, CVE-2025-13659, is described because the improper management of dynamically managed code assets, which may permit distant, unauthenticated attackers to put in writing arbitrary recordsdata on the server.
Profitable exploitation of the safety defect may result in RCE, however person interplay is required, Ivanti notes in its advisory.Commercial. Scroll to proceed studying.
The second high-severity challenge is CVE-2025-13661, a path traversal flaw that may be exploited remotely to put in writing arbitrary recordsdata exterior of the meant listing. Its exploitation requires authentication.
The third high-severity weak point is described because the “improper verification of cryptographic signatures within the patch administration part” of EPM.
Tracked as CVE-2025-13662, it permits distant, unauthenticated attackers to realize RCE, however requires person interplay.
Ivanti says it isn’t conscious of any of those vulnerabilities being exploited within the wild. Customers are suggested to replace to the most recent variations of Ivanti EPM as quickly as potential.
Associated: Excessive-Severity Vulnerabilities Patched by Ivanti and Zoom
Associated: Excessive-Severity Vulnerabilities Patched by Fortinet and Ivanti
Associated: ZDI Drops 13 Unpatched Ivanti Endpoint Supervisor Vulnerabilities
Associated: CISA Analyzes Malware From Ivanti EPMM Intrusions
