Ivanti Endpoint Manager (EPM) sits at the heart of many enterprises’ remote administration stacks, handling everything from patch deployment to compliance reporting. It gives security teams a single pane of glass to view device health, run vulnerability scans, and push software updates across thousands of endpoints. Because of this central role, any weakness in EPM can ripple through an entire organization, turning a single compromised instance into a command and control pivot point.
When Authentication Is a Bypass: The Core of the Issue
In early December, security researchers uncovered a flaw that allows attackers to inject malicious JavaScript into the EPM web dashboard without needing any credentials. The flaw, catalogued as CVE‑2025‑10573, carries a CVSS score of 9.6, placing it squarely in the “critical” range. If this is a headline you’d expect to see in a security bulletin, it’s also a headline that should appear in your incident‑response playbook.
Attack Path: From Unauthenticated Input to Full Admin Control
The vulnerability is rooted in the “incomingdata” API endpoint, which accepts device scan data from endpoints. The API lacks proper authentication checks, so anyone on the network can send data to it. Behind the scenes, a CGI binary called postcgi.exe writes the scan payload to a temporary directory. Researchers discovered that fields such as Device ID, Display Name, and OS Name can be leveraged to embed JavaScript. When an administrator later views the affected device in the EPM console, the browser executes the injected script in the context of the admin session.
Why Stored XSS Is a Devastating Tool
Once the script runs, it can hijack the admin’s session cookie, effectively stealing the session and granting the attacker full administrative privileges. From there, the attacker can issue remote commands, install rogue software, or pivot further into the network. The key point is that the attack requires no prior access or credentials; it simply exploits a flaw in how data is accepted and displayed.
Discovery, Fix, and the Path Forward
Rapid7’s staff researcher Ryan Emmons first identified the flaw while dissecting Ivanti EPM 11.0.6 Core on a Windows Server 2022 environment. The issue exists in all releases of EPM 2024 SU4 and earlier. Ivanti addressed the problem in the 2024 SU4 SR1 patch, released on December 9, 2025. The patch removes the unauthenticated processing path and sanitizes all user‑supplied fields before rendering them in the dashboard.
Technical Deep Dive: The CGI Connection
At the heart of the vulnerability is the CGI binary postcgi.exe, which writes device‑scan files to a folder without verifying the origin of the request. Because the API accepts any POST request, an attacker can craft a payload that includes a script tag with JavaScript code. When the admin loads a page that references the stored scan data, the script executes in the admin’s browser, bypassing same‑origin policies because the payload originates from the same domain.
Patch and Mitigation Steps
Ivanti advises all customers to apply the 2024 SU4 SR1 update immediately. In addition, administrators should disable or restrict the “incomingdata” endpoint for any devices that do not require scan data submission. Rapid7 will include the vulnerability check in its December 9 content release for Exposure Command, InsightVM, and Nexpose customers, giving them an automated way to verify compliance.
Why This Vulnerability Is a Red Flag for Security Teams
There are three reasons why this flaw should be treated with the highest urgency: first, the lack of authentication makes it trivial for an attacker on the same network to exploit; second, the damage scope is enormous, granting full admin rights; and third, the attack’s complexity is low, meaning even a script kiddie could mount it with minimal effort. The combination of high impact and low effort is the hallmark of a “must‑patch” vulnerability.
Looking Ahead: Strengthening the Endpoint Management Ecosystem
Endpoint management platforms are increasingly becoming the target of sophisticated attackers. The Ivanti EPM incident underscores the importance of secure API design, strict input validation, and least‑privilege principles. Security teams should audit their own management consoles for similar unauthenticated data paths and consider implementing runtime application self‑protection measures such as Content Security Policies. Moving forward, the industry must embrace a culture where security is baked into the product lifecycle, not bolted on after the fact. By staying proactive, organizations can turn what might have been a single point of compromise into a resilient, well‑guarded asset.
