Ivanti has issued a warning about a critical vulnerability in its Endpoint Manager (EPM) software, tracked as CVE-2025-10573. This flaw allows attackers to execute arbitrary JavaScript code remotely through low-complexity cross-site scripting attacks that require user interaction. An attacker with unauthenticated access to the EPM web service can introduce fake managed endpoints, which then poison the administrator's dashboard with malicious scripts. If an administrator interacts with the compromised dashboard, it triggers client-side JavaScript execution, giving the attacker control over the admin's session. To mitigate this risk, Ivanti has released EPM version EPM 2024 SU4 SR1. Even though the company states that the risk is lower since the EPM software shouldn't be exposed online, the Shadowserver threat monitoring platform reports hundreds of internet-facing EPM instances, primarily in the U.S., Germany, and Japan. In addition to this critical flaw, Ivanti also patched three high-severity vulnerabilities that could allow remote code execution on unpatched systems, emphasizing that user interaction is needed for successful exploitation. Despite the serious nature of these vulnerabilities, Ivanti claims there have been no known exploits before the public disclosure. However, security concerns remain high, as previous vulnerabilities in EPM have been actively targeted. In March, CISA highlighted three critical EPM flaws as being exploited in attacks, and in October, they ordered U.S. agencies to patch another actively exploited vulnerability. Given this history, organizations using Ivanti's EPM software should prioritize the latest updates to protect their systems.