Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
A newly disclosed vulnerability in a popular security tool could lead to a complete session takeover.
A cyber security researcher at Rapid7 has uncovered a dangerous new vulnerability in the endpoint security platform Ivanti Endpoint Manager.
The vulnerability – CVE-2025-10573 – has already been patched in the latest version of the software, and Rapid7 suggests immediate remediation given what exploitation could lead to.
“An attacker with unauthenticated access to the primary EPM web service can join fake managed endpoints to the EPM server in order to poison the administrator web dashboard with malicious JavaScript,” Rapid7 said in a 10 December blog post.
Then, once an administrator views a poisoned dashboard, that interaction can trigger a JavaScript execution on the client side, with the attacker potentially gaining control of that session.
Ryan Emmons, staff security researcher at Rapid7, found the issue earlier this year and reported it to Ivanti on 15 August. About two weeks later, Ivanti was able to reproduce the vulnerability, and in September, the company requested a disclosure extension to November.
On 31 October, Ivanti requested a second extension, which Rapid7 accepted, to 9 December, when Ivanti released its own statement.
“Ivanti is dedicated to ensuring the security and integrity of our enterprise software products. We do this by providing security fixes which resolve a vulnerability without impacting the functionality that our customers depend on,” Ivanti said.
“We recognise the vital role that security researchers, ethical hackers, and the broader security community play in identifying and reporting vulnerabilities. We appreciate the work that Ryan Emmons, and the entire Rapid7 team, have done in reporting this vulnerability to Ivanti, coordinating disclosure and working with us to help protect our customers.”
You read more about how exploitation of this vulnerability works here.
Ivanti systems have been the target of several hacking campaigns this year, with Chinese hackers engaging in widespread exploitation of Ivanti Secure Connect devices in January, and another campaign targeting Ivanti Connect Secure in April.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
