Ivanti has patched a critical vulnerability in Endpoint Manager that enables attackers to hijack administrator sessions without authentication and potentially control thousands of enterprise devices.
The company released EPM version 2024 SU4 SR1 to address four vulnerabilities, including the critical flaw tracked as CVE-2025-10573, which carries a CVSS score of 9.6. Three additional high-severity flaws could also enable code execution but require user interaction, Ivanti said in its December security advisory on Tuesday.
Ivanti said the vulnerabilities were reported through its responsible disclosure program, adding that it was not aware of any customer systems being exploited at the time of disclosure.
EPM has been targeted before. In March, CISA added three EPM vulnerabilities to its Known Exploited Vulnerabilities catalog after confirming exploitation in the wild. The flaws had been patched in January after being reported privately to Ivanti.
Given EPM’s history of being targeted by attackers and the severity of the flaw, security teams should treat this as a patch-immediately situation rather than a routine update.
The December update also fixed CVE-2025-13659 and CVE-2025-13662, which allow attackers to execute arbitrary code when users connect to an untrusted core server or import untrusted configuration files. Another enables unauthorized file writes on the server.
Unauthenticated attack vector
The most severe vulnerability is a stored cross-site scripting flaw discovered by Ryan Emmons, staff security researcher at Rapid7, who reported it to Ivanti in August.
According to Rapid7’s technical disclosure, also published Tuesday, attackers can submit malicious device scan data to EPM’s incoming data API without authentication, The malicious data gets processed and embedded in the EPM web dashboard, where it executes when administrators view affected pages.
“An attacker with unauthenticated access to the primary EPM web service can join fake managed endpoints to the EPM server in order to poison the administrator web dashboard with malicious JavaScript,” Emmons wrote in the report.
Once the malicious JavaScript executes, attackers gain control of the admin session with full privileges to remotely control endpoints and install software on devices.
Nick Tausek, lead security automation architect at Swimlane, warned, “Exploitation of this flaw would grant threat actors access to many managed devices at once, allowing for the execution of malicious code, deployment of ransomware, or exfiltration of sensitive data.”
The patching challenge
Despite the severity of such threats, organizations frequently struggle to address critical vulnerabilities quickly: Tausek said Swimlane research found 68% of organizations leave critical flaws unpatched for over 24 hours and 55% don’t have a comprehensive system for prioritizing vulnerabilities.
The delay is particularly risky for endpoint management systems, which run with elevated privileges and control thousands of devices. Successful exploitation could bypass security controls and allow attackers to push malware to managed endpoints, modify security configurations, or establish persistent backdoors across the enterprise.
“The potential for a serious exploitation campaign should not be overlooked,” Tausek said.
Pattern of exploitation
That concern is not theoretical. EPM’s history makes rapid patching more urgent. CISA added three EPM vulnerabilities (CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161) to its Known Exploited Vulnerabilities catalog in March after confirming active exploitation. The agency flagged another exploited EPM flaw (CVE-2024-29824) in October.
The repeated targeting demonstrates EPM’s value to attackers seeking persistent network access and lateral movement capabilities. Once attackers compromise endpoint management infrastructure, they can spread across the enterprise rapidly.
Deployment guidance
The patch is available through the Ivanti License System and applies to EPM versions 2024 SU4 and earlier. Organizations running the 2022 branch should note that it reaches end of life in October 2025 and will no longer receive security updates after that date, the Ivanti advisory added.
Security teams should prioritize updating EPM instances to version 2024 SU4 SR1 immediately, particularly any installations accessible from untrusted networks. Organizations with internet-facing EPM instances face the highest risk and should patch within 24 hours.
For organizations that can’t patch immediately, the advisory recommended ensuring EPM management interfaces aren’t exposed to the public internet and implementing strict network segmentation to isolate management servers from untrusted networks.
Tausek also recommended training administrators to recognize social engineering attacks, since the critical XSS vulnerability requires viewing a poisoned dashboard page to trigger.
“Since EPMs often run with high privileges, any misuse of it risks bypassing security controls and rapidly escalating the impact of a breach,” Tausek added.