CVE-2025-10573: Critical Unauthenticated Stored XSS in Ivanti Endpoint Manager
December 11, 2025
ChatGPT 
A newly disclosed vulnerability in Ivanti Endpoint Manager (EPM) tracked as CVE-2025-10573 allows unauthenticated attackers to inject persistent JavaScript into the EPM administrative dashboard. Assigned a CVSS score of 9.6, this vulnerability presents a critical security risk because it enables attackers to hijack administrator sessions and gain full control over managed endpoints.
Ivanti has patched the vulnerability in EPM 2024 SU4 SR1, and organizations running earlier versions should prioritize immediate upgrades.
What Is CVE-2025-10573?
Risk Analysis
Severity: Critical
CVSSv3.1: Base Score: 9.6 Critical
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Exploit available in public: No
Exploit complexity: Low
Exploitability Score: 2.8
CVE-2025-10573 is an unauthenticated Stored Cross-Site Scripting (Stored XSS) vulnerability in Ivanti EPM’s core web interface. Ivanti Endpoint Manager (EPM) is a widely deployed endpoint administration and remote management solution.
The vulnerability exists in the incomingdata API, which is responsible for ingesting device scan data from managed endpoints.
Attackers can abuse this endpoint by submitting device scan data containing malicious JavaScript. Because the server does not sanitize fields before inserting them into the device database, the payload becomes permanently embedded in the EPM dashboard. When an administrator later views the affected page, the malicious script executes in their browser with full administrative privileges.
This passive trigger makes the attack extremely dangerous because no credential theft, brute force, or phishing is required. One simple scan submission poisons the dashboard indefinitely.
Ivanti EPM administrators can run remote commands, deploy software and scripts, change group policies, disable security tools, reconfigure endpoint settings, access sensitive device information, and push actions to thousands of managed endpoints. When an attacker gains control of an administrator’s session, they inherit all of these privileges, giving them the ability to fully compromise the organization’s entire endpoint fleet.
CVE-2025-10573: Detailed Exploit Analysis
Unauthenticated Access to the Incoming Data API – The vulnerable API (/incomingdata/postcgi.exe) accepts device scan files without requiring authentication. Anyone on the network can submit an arbitrary scan payload.
Malicious Input Embedded in Trusted Pages – Device scan files are processed by postcgi.exe, written to a processing directory, and inserted into the EPM database as key-value pairs. Multiple fields such as Device Name, Display Name, OS Name, and Host Name are directly rendered into the admin UI without escaping.
This allows attackers to insert raw JavaScript such as:
<script>alert(‘Administrator account hijacked’)</script>
Automatic Execution in the Administrator’s Browser – When an EPM admin views device listings, frameset pages, or asset detail pages, the injected script runs inside the authenticated session.
This enables:
- full session hijacking
- arbitrary actions on the EPM server
- remote control of all managed endpoints
- lateral movement across the network
Because EPM administrators have the highest privileges, an attacker effectively takes control of the entire endpoint management infrastructure.
Why CVE-2025-10573 Is Extremely High Risk
Three factors make this vulnerability exceptionally dangerous:
- No authentication required: Attackers can exploit the vulnerability without an EPM account as long as they can reach the server.
- Persistent malicious payload: The injected script remains stored and continues to execute whenever an administrator views the poisoned entries, until it is manually removed.
- Compromises privileged admin sessions: Once triggered, the payload gives attackers full control of the EPM console and every managed device.
Together, these factors create a high-impact, low-effort attack path suited for internal threat actors, lateral movement, and malware operating inside compromised environments.
CVE-2025-10573: Patch and Mitigation Guidance
Ivanti has released a patch in EPM 2024 SU4 SR1, which completely resolves the vulnerability.
Organizations should:
- Patch immediately, especially in environments where the EPM server is accessible from broader internal networks
- Restrict access to the EPM web service to trusted management subnets
- Verify that EPM is not exposed to the public internet
- Monitor scan ingestion logs for suspicious or unexpected submissions
- Audit existing device scans for unusual field values or JavaScript fragments
- Review administrator session logs for signs of token theft or unauthorized actions
At the time of advisory publication, Ivanti confirmed no known exploitation in the wild, but due to EPM’s history of targeted attacks, the window of safety is likely narrow.
How AppTrana WAAP Protects Against CVE-2025-10573
AppTrana WAAP delivers day-0 protection by detecting and blocking malicious scan submissions containing script tags, encoded HTML, or abnormal key–value patterns used to exploit CVE-2025-10573. By stopping these poisoned payloads at the edge before they reach the /incomingdata pipeline, AppTrana prevents the stored XSS from being written into the EPM dashboard.
This ensures attackers cannot hijack administrator sessions, even if the EPM server is not yet patched.
The screenshot below shows how AppTrana blocks malicious scan submissions attempting to exploit CVE-2025-10573 before they reach the EPM server.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.
