Ivanti is urging customers to quickly patch a critical vulnerability in its Endpoint Manager (EPM) product that could let remote attackers execute arbitrary JavaScript in administrator sessions through low-complexity cross-site scripting (XSS) attacks.The issue, tracked as CVE-2025-10573, affects the EPM web service and can be abused without authentication, but does require some user interaction to trigger.
The flaw stems from how Ivanti EPM handles managed endpoints presented to the primary web service. According to Rapid7 researcher Ryan Emmons, an attacker with unauthenticated access to the EPM web interface can register bogus managed endpoints and inject malicious JavaScript into the administrator dashboard. Once an EPM administrator views a poisoned dashboard widget as part of routine use, the injected code executes in the browser, allowing the attacker to hijack the admin session and act with their privileges.
Patch availability and exposure
Ivanti has released EPM 2024 SU4 SR1 to remediate CVE-2025-10573 and recommends customers install this update as soon as possible. The company str
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: