- Description
- Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required.
- Source
- 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
- NVD status
- Analyzed
- Products
- endpoint_manager
CVSS 3.1
- Type
- Primary
- Base score
- 6.1
- Impact score
- 2.7
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Severity
- MEDIUM
- 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
- CWE-79
- Hype score
- Not currently trending
🚨 Ivanti Endpoint Manager [—] Dec 19, 2025 Critical vulnerabilities and security advisory for Ivanti Endpoint Manager, including CVE-2025-10573 and related remote code execution risks. Checkout our Threat Intelligence Platform: https://t.co/QuwNtEhw6z... https://t.co/T18FWuk
@transilienceai
19 Dec 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 แจ้งเตือนช่องโหว่วิกฤต Ivanti Endpoint Manager (EPM) – CVE-2025-10573 ThaiCERT ตรวจพบรายงานช่องโหว่ความรุนแรงระดับวิกฤต หมายเลข CVE-202
@ThaiCERTByNCSA
15 Dec 2025
49 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-10573 Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an admi… https://t.co/Offkbsj1tT
@CVEnew
14 Dec 2025
227 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 CVE-2025-10573 | Ivanti Endpoint Manager Critical stored XSS (CVSS 9.6) → unauth JS in admin sessions. 🔧 Fixed in Ivanti EPM 2024 SU4 SR1 (Dec 9) 📊 Censys sees 1,898 exposed EPM instances, 80 vulnerable ➡️ Upgrade immediately. 🔗https://t.co/4EyNonmMaM #CVE2
@censysio
12 Dec 2025
5862 Impressions
20 Retweets
72 Likes
29 Bookmarks
6 Replies
0 Quotes
🔴 CVE-2025-10573: Ivanti EPM Stored XSS Hijacks Admin Sessions Ivanti Endpoint Manager has critical stored XSS (CVSS 9.0) that escalates to full admin takeover. What's clever: attackers inject malicious scripts into EPM's web interface that execute when administrators view
@the_c_protocol
11 Dec 2025
52 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Ivanti EPM XSS nightmare (CVE-2025-10573): Unauth attackers drop JS bombs for code exec. Fortinet's duo of auth bypasses (FortiOS et al.) join the party. SAP's 14 vulns too—patch parade! https://t.co/4SUomvqmXw #Ivanti #Fortinet #SAPSecurity
@ImperialTechSvc
11 Dec 2025
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
X crew, threats don't take holidays. Today's drop: Microsoft's mega Patch Tuesday slams 56 flaws (1 zero-day exploited!), ransomware exploding on hypervisors (+700%), and a sneaky new CastleLoader malware variant slinging Python payloads. Plus, Ivanti's XSS bomb (CVE-2025-10573)
@ImperialTechSvc
11 Dec 2025
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Ivanti warns of critical code execution flaw in Endpoint Manager https://t.co/v3sYbERyk9 #Cross-siteScripting #cve-2025-10573 #RemoteCodeExecution
@wizconsults
10 Dec 2025
43 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Ivanti releases patches for critical Endpoint Manager flaw CVE-2025-10573 allowing remote unauthenticated JavaScript code execution in admin sessions. PoC exploit reported, updates urged. #Vulnerability https://t.co/GqJMv8I5Rn
@threatcluster
10 Dec 2025
50 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Upozorňujeme na kritickou zranitelnost v Ivanti Endpoint Manager (EPM), CVE-2025-10573. Jedná se o chybu typu Stored XSS, která umožňuje vzdálenému neautentizovanému útočníkovi vložit škodlivý JavaScript do administrátorského rozhraní prostřednictvím fale
@GOVCERT_CZ
10 Dec 2025
598 Impressions
0 Retweets
3 Likes
0 Bookmarks
0 Replies
0 Quotes
Ivanti EPM suffers stored XSS (CVE-2025-10573, CVSS 9.6) enabling remote code execution - patch now and check UI sanitization. https://t.co/eACfm4FS7t #infosec #Ivanti
@_UncleHacker_
10 Dec 2025
16 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Security Bulletin: Ivanti EPM (CVE-2025-10573, CVSS 9.6) contains a stored XSS flaw that runs attacker scripts when admins load compromised fields. Patch to 2024 SU4 SR1 now. #ThreatIntel #RedLeggCTI https://t.co/ArD4i6n8du
@RedLegg
9 Dec 2025
81 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Earlier this year, Rapid7 researchers discovered a stored cross-site scripting (XSS) vuln. in #Ivanti Endpoint Manager (EPM) – affecting versions 2024 SU4 and below. Now patched, CVE-2025-10573 has been assigned a CVSS score of 9.6. More in our blog: https://t.co/FtdADlLL
@rapid7
9 Dec 2025
9141 Impressions
22 Retweets
50 Likes
18 Bookmarks
2 Replies
0 Quotes
[CVE-2025-10573: CRITICAL] Critical stored XSS vulnerability in Ivanti Endpoint Manager (pre-2024 SU4 SR1) lets remote attacker run malicious JavaScript in admin session. User interaction needed.#cve,CVE-2025-10573,#cybersecurity https://t.co/lKnf20YeQn https://t.co/4JKsBO3PDE
@CveFindCom
9 Dec 2025
106 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ivanti:endpoint_manager:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7ABDE6FE-56CC-4A46-91F2-2F54C3EC6A75",
"versionEndExcluding": "2024",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ivanti:endpoint_manager:2024:-:*:*:*:*:*:*",
"matchCriteriaId": "6C7283FE-C10A-4E37-B004-15FB0CAC49A5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ivanti:endpoint_manager:2024:su1:*:*:*:*:*:*",
"matchCriteriaId": "FC51EEA2-1C4C-4069-9704-7ACFE4773930",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ivanti:endpoint_manager:2024:su2:*:*:*:*:*:*",
"matchCriteriaId": "E1EF5E1B-9377-49D3-9BE3-62FC78E666A3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ivanti:endpoint_manager:2024:su3:*:*:*:*:*:*",
"matchCriteriaId": "749AADDA-834D-4EC0-B7FF-E136FD1984F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ivanti:endpoint_manager:2024:su3_security_release_1:*:*:*:*:*:*",
"matchCriteriaId": "698BF7A1-62A1-45B5-BF08-AB3F3AA0245C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ivanti:endpoint_manager:2024:su4:*:*:*:*:*:*",
"matchCriteriaId": "4902A745-E7CB-4FC9-9BCB-89EFAB643237",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]