Print - 【Vulnerability Alert】Two Critical Security Vulnerabilities Found in Ivanti EPM (CVE-2025-10573) (CVE-2025-13659)

【Vulnerability Alert】Two Critical Security Vulnerabilities Found in Ivanti EPM (CVE-2025-10573) (CVE-2025-13659)

publish date : 2025-12-19 update date : 2025-12-19

Source: Ministry of education information & communication security contingency platform

"" "" ""


Publication Number	TACERT-ANA-2025121601125252	Publication Time	2025/12/16 13:09
Incident Type	ANA-Vulnerability Alert	Discovery Time	2025/12/16 13:09
Impact Level	Low
[Subject] 【Vulnerability Alert】Two Critical Security Vulnerabilities Found in Ivanti EPM (CVE-2025-10573) (CVE-2025-13659)
[Content] Forwarded from TWCERTCC-200-202512-00000004 Ivanti Endpoint Manager (EPM) is a device management system designed to manage and protect Windows, macOS, and Linux devices. 【CVE-2025-10573, CVSS: 9.6】This is a stored cross-site scripting (XSS) vulnerability that allows remote unauthenticated attackers to execute arbitrary JavaScript code within an administrator’s session. 【CVE-2025-13659, CVSS: 8.8】This is an arbitrary file write vulnerability. Due to improper control over dynamically managed code resources, remote unauthenticated attackers are able to write arbitrary files to the server, which may lead to remote code execution. Information Sharing Level: WHITE (Information content can be publicly disclosed)
[Affected Platform] EPM versions up to and including 2024 SU4
[Recommended Actions] Please update to the following version: EPM 2024 SU4 SR1
[Reference]

(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw

Organizer: Computer Center