Analysis

Ivanti issued Endpoint Manager 2024 SU4 SR1 to remediate multiple serious vulnerabilities in Endpoint Manager Core and remote consoles. The most severe is a Stored Cross‑Site Scripting vulnerability (CVE-2025-10573, CVSS 9.6) that can let unauthenticated network actors inject JavaScript into administrator sessions; other notable flaws include CVE-2025-13659 (CVSS 8.8) enabling arbitrary file writes and potential dynamic code execution, CVE-2025-13662 (CVSS 7.8) tied to insufficient signature verification with remote code execution potential, and CVE-2025-13661 (CVSS 7.1) allowing path‑traversal file writes. Ivanti emphasizes Endpoint Manager is not intended to be internet-facing, which meaningfully lowers exposure for internally segmented deployments, and states exploitation typically requires connection to an untrusted core or user interaction. The vendor reports no known in-the-wild exploitation and has not published IOCs, but this follows a similar high‑risk fix issued in November, indicating a pattern of recent critical patching. Administrators are advised by Ivanti to apply 2024 SU4 SR1 promptly; exposure is highest for customers that publicly expose consoles or connect to untrusted cores (including MSP environments). Sentiment is mildly negative with a low market-impact score (0.25), implying the primary risks are operational, reputational, and contract disruption rather than immediate large-scale market contagion; investors should monitor patch adoption rates, disclosure of incidents, and any customer contract impacts.