A critical stored cross-site scripting (XSS) vulnerability has been identified in Ivanti Endpoint Manager. This flaw allows an unauthenticated remote attacker to inject malicious code that will execute in an administrator's web browser, potentially leading to a complete compromise of the management platform and all connected endpoints. Due to the high severity and the potential for full system takeover, immediate patching is strongly recommended.

This vulnerability is a stored cross-site scripting (XSS) flaw. An unauthenticated attacker can submit specially crafted data containing a malicious script to the Ivanti Endpoint Manager application. This malicious data is then stored in the application's database. The exploit is triggered when a user with administrative privileges views the specific page or data entry containing the stored script, causing the malicious code to execute within the context of their authenticated session. This allows the attacker to bypass authentication and perform any action the administrator is authorized to, such as modifying system settings, creating new administrative accounts, or deploying malicious software to managed endpoints.

This vulnerability is rated as critical severity with a CVSS score of 9.6. Successful exploitation could lead to a complete compromise of the Ivanti Endpoint Manager, a central tool for managing an organization's IT infrastructure. The potential consequences include unauthorized access to sensitive corporate data, deployment of ransomware or other malware across the entire network of managed devices, significant operational disruption, and reputational damage. An attacker gaining administrative control over this system effectively gains a foothold to control a large portion of the organization's computing assets.

Immediate Action: The primary remediation is to upgrade all vulnerable instances of Ivanti Endpoint Manager to the patched version 2024 SU4 SR1 or a later release, as recommended by the vendor. After patching, administrators should review access and audit logs for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring: Organizations should actively monitor web server and application logs for Ivanti Endpoint Manager for unusual POST requests, especially those containing HTML tags, script elements (<script>, onerror, onload), or other common XSS payload signatures. Network traffic should be monitored for suspicious outbound connections from the EPM server. System behavior on managed endpoints should also be monitored for any unauthorized changes or software deployments.

Compensating Controls: If immediate patching is not feasible, organizations should implement compensating controls. This includes deploying a Web Application Firewall (WAF) with rules designed to detect and block XSS attacks. Network access to the Ivanti EPM management console should be strictly limited to a dedicated administrative VLAN or specific trusted IP addresses to reduce the attack surface.

Public Exploit Available: false

Given the critical CVSS score of 9.6 and the potential for a full network compromise, this vulnerability poses a severe risk to the organization. We strongly recommend that all affected Ivanti Endpoint Manager instances be updated to version 2024 SU4 SR1 on an emergency basis. While this vulnerability is not currently on the CISA KEV list, its high impact makes it a prime candidate for future inclusion. Organizations must prioritize patching to prevent potential exploitation by threat actors.