Analysis

Ivanti disclosed a critical cross-site scripting vulnerability in its Endpoint Manager (EPM) tracked as CVE-2025-10573 that can allow unauthenticated remote actors to execute arbitrary JavaScript via low-complexity XSS requiring user interaction; Rapid7 reported the flaw in August and Ivanti released EPM 2024 SU4 SR1 to address it. Ivanti’s EPM is used to manage clients across Windows, macOS, Linux, Chrome OS and IoT and the company services over 40,000 customers through more than 7,000 organizations worldwide, indicating broad enterprise impact if exploitation occurs. Shadowserver currently identifies hundreds of Internet-facing EPM instances—notably 569 in the U.S., 109 in Germany and 104 in Japan—amplifying exposure despite Ivanti noting EPM is not intended to be Internet-exposed. Ivanti also patched three additional high-severity flaws (including CVE-2025-13659 and CVE-2025-13662) that could enable code execution under conditions requiring user interaction or importing untrusted configurations; the company reports no evidence of pre-disclosure exploitation. CISA’s prior flags of exploited EPM vulnerabilities in March and October 2024 (multiple CVEs) underline elevated regulatory and operational risk for customers and vendors; this raises potential for near-term remediation costs, increased demand for third-party detection/patch services, and reputational/legal scrutiny for affected enterprises.