High

A critical stored cross-site scripting (XSS) vulnerability has been identified in Ivanti Endpoint Manager (EPM) versions 2024 SU4 and earlier, tracked as CVE-2025-10573 and assigned a CVSS score of high. The flaw allows attackers to compromise administrator sessions without authentication and was officially patched on December 9, 2025, with the release of Ivanti EPM 2024 SU4 SR1. Due to the severity and unauthenticated nature of the issue, affected systems face a high risk of complete administrative compromise.

The vulnerability exists in the ‘incomingdata’ web API, which processes device scan data but fails to properly validate or sanitize user-supplied input. An unauthenticated attacker can abuse this weakness by sending crafted POST requests to the ‘/incomingdata/postcgi.exe’ endpoint. Malicious JavaScript payloads can be embedded within device-related fields such as Device ID, Display Name, or OS Name, which are then stored directly in the EPM device database.

Once the malicious data is stored, it is rendered in multiple administrator-facing web dashboard pages, including ‘frameset.aspx’ and ‘db_frameset.aspx’. When an Ivanti EPM administrator accesses these pages during routine operations, the injected JavaScript executes automatically in the browser. This passive user interaction results in full administrator session hijacking, granting attackers complete control over the EPM web interface.

Successful exploitation can have severe organizational impact, as Ivanti EPM is widely used for endpoint management, vulnerability scanning, and remote administration. Attackers gaining administrative access can potentially control managed endpoints, deploy unauthorized software, and manipulate security policies. According to Rapid7, organizations should immediately upgrade to Ivanti EPM 2024 SU4 SR1, as prompt patching is the only effective mitigation against this unauthenticated, high-impact vulnerability.