Detections
Analytics

CVE-2025-10573

medium

Description

Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required.

References

https://www.securityweek.com/ivanti-epm-update-patches-critical-remote-code-execution-flaw/

https://thehackernews.com/2025/12/fortinet-ivanti-and-sap-issue-urgent.html

https://www.theregister.com/2025/12/09/december_2025_patch_tuesday/

https://www.bleepingcomputer.com/news/security/ivanti-warns-of-critical-endpoint-manager-code-execution-flaw/

https://securityaffairs.com/185508/hacking/ivanti-warns-customers-of-new-epm-flaw-enabling-remote-code-execution.html

https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024?language=en_US

https://forums.ivanti.com/s/article/Security-Advisory-EPM-December-2025-for-EPM-2024

Details

Source: Mitre, NVD

Published: 2025-12-09

Updated: 2025-12-11

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 6.1

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00108

Vulnerability Watch

Tenable Research has classified this CVE under the following Vulnerability Watch classification, which includes active and historical (inactive) classifications. You can learn more about these classifications on our blog.

Vulnerability Being Monitored