Ivanti Patches Critical Security Vulnerability in Endpoint Manager

Several security vulnerabilities have been discovered in Ivanti's Endpoint Manager network software management solution. One of these is considered a critical risk by the manufacturer. Updates are now closing these loopholes.

In a security advisory, Ivanti writes that the vulnerabilities are present in both the Endpoint Manager Core and the remote consoles. Of the four weaknesses, the most severe is a "Stored Cross-Site-Scripting" (Stored XSS) type, which allows unauthenticated attackers from the network to inject and store JavaScript code on vulnerable servers. This code can then be executed in the context of, for example, an administrator session (CVE-2025-10573, CVSS 9.6, Risk "critical"). Ivanti does not elaborate on what specific attacks would look like. However, the manufacturer states that Ivanti EPM is not intended to be accessible from the internet; if customers do not operate the system on the public internet, the risk of this vulnerability is significantly lower.

Additionally, unauthorized malicious actors from the network can write arbitrary files to servers, potentially injecting and executing malicious code. This is due to insufficient checks on "dynamically managed code resources" (CVE-2025-13659, CVSS 8.8, Risk "high"). The problem narrowly misses classification as a critical threat. Ivanti explains that a prerequisite for exploitation would be for customers to connect to an untrusted core server; however, according to "best practices" recommendations, customers should exclusively connect their Ivanti EPM to trusted servers.

Further Security Vulnerabilities

In the patch management component, insufficient verification of cryptographic signatures allows unauthenticated attackers from the network to execute arbitrary code (CVE-2025-13662, CVSS 7.8, Risk "high"). Furthermore, authenticated users can store arbitrary files outside of intended directories due to a path traversal vulnerability (CVE-2025-13661, CVSS 7.1, Risk "high").

Ivanti does not detail how attacks on these vulnerabilities might specifically occur but emphasizes that user interaction is necessary for all successful exploits. To date, the manufacturer has no knowledge of these vulnerabilities being exploited in the wild. Therefore, Ivanti cannot provide Indicators of Compromise (IOCs).

The update to Ivanti Endpoint Manager 2024 SU4 SR1 closes all the mentioned security loopholes. IT administrators should therefore install it promptly.

In November of this year, Ivanti also had to close a security vulnerability in Endpoint Manager. It was also considered highly risky and allowed attackers to write files to the hard drives of victim PCs.

(dmk)