Ivanti has formally launched pressing safety updates for its Endpoint Supervisor (EPM) answer to deal with 4 distinct safety flaws. The newest advisory highlights one crucial vulnerability and three high-severity points that might enable attackers to execute arbitrary code, write recordsdata on the server, or bypass safety restrictions.
Whereas the corporate confirmed that it’s not conscious of any lively exploitation of those flaws within the wild on the time of disclosure, directors are urged to use the patches instantly to stop potential assaults.
The vulnerabilities have an effect on Ivanti Endpoint Supervisor variations 2024 SU4 and prior. To remediate these points, the seller has launched model 2024 SU4 SR1, which is now accessible through the Ivanti License System (ILS).
Probably the most extreme challenge on this replace is tracked as CVE-2025-10573, a Saved Cross-Website Scripting (XSS) vulnerability carrying a crucial CVSS rating of 9.6.
This flaw exists in variations previous to 2024 SU4 SR1 and permits a distant, unauthenticated attacker to execute arbitrary JavaScript inside an administrator’s session.
Profitable exploitation of this vulnerability requires consumer interplay, however the potential affect on administrative confidentiality and integrity is important.
Alongside this crucial flaw, Ivanti addressed three high-severity vulnerabilities. CVE-2025-13659 entails improper management of dynamically managed code sources, permitting unauthenticated attackers to write down arbitrary recordsdata on the server, probably resulting in distant code execution.
The remaining two flaws, CVE-2025-13661 and CVE-2025-13662, relate to path traversal and improper cryptographic signature verification, respectively. Each require consumer interplay, particularly involving the import of untrusted configuration recordsdata.
CVE NumberDescriptionSeverityCVSS ScoreCVE-2025-10573Stored XSS permitting distant unauthenticated attackers to execute arbitrary JavaScript in admin classes.Critical9.6CVE-2025-13659Improper management of code sources permitting arbitrary file writing and potential RCE.High8.8CVE-2025-13662Improper verification of cryptographic signatures in patch administration permitting arbitrary code execution.High7.8CVE-2025-13661Path traversal permitting authenticated attackers to write down recordsdata exterior supposed directories.High7.1
Mitigations
Ivanti has emphasised particular mitigations for environments the place quick patching is likely to be delayed. Concerning the crucial XSS flaw (CVE-2025-10573), the corporate famous that EPM is just not supposed to be an internet-facing answer.
Organizations which have ensured their administration interface is just not uncovered to the general public web considerably cut back the chance of this vulnerability.
The invention of those vulnerabilities was credited to a number of safety researchers working by way of accountable disclosure channels.
Ivanti acknowledged the contributions of Ryan Emmons from Rapid7 for figuring out the crucial XSS flaw, Piotr Bazydlo (@chudyPB) of watchTowr for the file writing vulnerability, and researchers working with the Development Zero Day Initiative for the remaining path traversal and signature verification points.
Since no identified indicators of compromise (IoCs) at present exist, making use of the vendor-supplied patch stays the first protection.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
