The IT Nerd

I feel like this is groundhog day as we have yet another critical Ivanti Endpoint Manager bug to deal with.

This time around versions 2024 SU4 and below are vulnerable to stored cross-site scripting enabling attackers to remotely execute JavaScript code. Tracked as CVE-2025-10573 with a CVSS score of 9.6 out of 10. The vulnerability was patched on December 9, 2025 so you should patch all the things now.

Details can be found here: https://www.rapid7.com/blog/post/cve-2025-10573-ivanti-epm-unauthenticated-stored-cross-site-scripting-fixed/

Ensar Seker, CISO at threat intel company SOCRadar, commented:

“This latest Ivanti Endpoint Manager flaw underscores a persistent reality in enterprise environments: even widely trusted endpoint solutions can become high-value targets. While CVE-2025-10573 is ‘just’ a stored XSS vulnerability, its exploitation potential, especially when combined with social engineering, can be significant. Remote code execution via JavaScript injection is no longer theoretical in supply chain attacks; it’s become operationally viable. The fact that this requires user interaction doesn’t reduce its threat level when attackers are targeting IT admins or helpdesk interfaces. Organizations must act swiftly to patch, and more importantly, implement rigorous user interface sanitization and privilege segmentation.”

Ivanti users really need to be concerned given the rather bad track record of Ivanti products being anything but secure. That unfortunate fact makes you less secure. Which of course is a problem. One that you may not be able to rely on Ivanti to do anything about.

Wiz researchers report that two recently patched Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities—CVE-2025-4427 and CVE-2025-4428—are being actively chained in the wild to achieve unauthenticated remote code execution (RCE). The first flaw is an authentication bypass stemming from misconfigured Spring framework routing, while the second involves unsafe handling of Java Expression Language in error messages, allowing arbitrary code execution. Although each vulnerability is individually rated medium severity, their combination creates a critical exploitation path. Attackers are deploying Sliver beacons to known malicious infrastructure also used against Palo Alto PAN-OS products, suggesting targeted, opportunistic exploitation across vulnerable platforms. Ivanti issued patches on May 13, but organizations not filtering access to the affected APIs remain at elevated risk.

Wade Ellery, Field CTO, Radiant Logic had this to say:

“This is a textbook example of how low-to-moderate vulnerabilities can escalate into high-impact breaches when chained together. It’s also a reminder that the complexity and interdependencies throughout today’s IT infrastructure creates almost continuous opportunities for attack.  Given these vulnerabilities it is even more critical that the last line of defense to a breach, the identity first security layer, be as fortified as possible. Identity observability provides a 360 degree view and active management of identity data attack vectors when proactively deployed and maintained.  As attackers continue to innovate, but without the ability to compromise account access their impact is severely blunted.”

This underscores the need to “patch all the things” the moment that patches for something become available as threat actors will simply do what’s illustrated here. Which isn’t good if you haven’t patched all your gear.

Ivanti yesterday raised the alarm for a pair of remotely exploitable vulnerabilities in its enterprise-facing products and warned that one of the bugs has already been exploited in the wild.

Ivanti has released an update that addresses one critical and one high vulnerability in Ivanti Connect Secure, Policy Secure and ZTA Gateways. Successful exploitation of CVE-2025-0282 could lead to unauthenticated remote code execution. CVE-2025-0283 could allow a local authenticated attacker to escalate privileges.  

Martin Jartelius, CISO at Outpost24, commented:

“Last time we had an Ivanti zero-day exploitation, the attackers shifted to their active/destructive phase as the patch became available. So, anyone impacted should firstly patch at once, and secondly review their readiness in incident response and keep extra eyes on their monitoring for the near future. Many still remember the Akira breach against Tietoevry in Sweden and its cascading impact on organizations and government agencies as the impacted organization was a service provider.”

Ivanti yet again makes the news for all the wrong reasons. Which means that if you have any Ivanti products in your environment, you need to drop what you’re doing and patch all the things.

You might remember that Ivanti who have had a number of zero day vulnerabilities pop up over the last few months disclosed two of them with their Connect Secure VPN appliances. And at the same time, they disclosed that the vulnerabilities were being actively exploited. That got the attention of the CISA who in mid January issued an emergency directive to mitigate this. But I guess that didn’t go far enough for the CISA who is now ordering this action among others via this supplemental direction:

As soon as possible and no later than 11:59PM on Friday February 2, 2024, disconnect all instances of Ivanti Connect Secure and Ivanti Policy Secure solution products from agency networks.

I am guessing that the CISA took this action because of a  third actively exploited zero-day in these VPN appliances that Ivanti disclosed. It’s really looking like that these VPN appliances cannot be trusted so pulling them from service is likely the best course of action. Honestly, Ivanti has a lot of explaining to do because given their very recent track record of disclosing zero day after zero day, they as a company who can produce secure products are looking a bit suspect here.

Oh I should mention that if you’re a company who uses Ivanti products, you might want to rethink that given the actions of the CISA. And perhaps you should consider following their lead to avoid getting pwned.

Ivanti isn’t have a great new year so far. Hot off the heels of this news, comes news that the company has confirmed that hackers are exploiting two critical-rated vulnerabilities affecting its widely-used corporate VPN appliance. But the news is actually worse than that. Apparently there are no patches available and the vulnerabilities are being used by state sponsored actors to pwn companies.

Yikes!

Here’s the details:

Ivanti said the two vulnerabilities — tracked as CVE-2023-46805 and CVE-2024-21887 — were found in its Ivanti Connect Secure software. Formerly known as Pulse Connect Secure, this is a remote access VPN solution that enables remote and mobile users to access corporate resources over the internet. Ivanti said it is aware of “less than 10 customers” impacted so far by the “zero day” vulnerabilities, described as such given Ivanti had zero time to fix the flaws before they were maliciously exploited.

So according to the company, “less than 10 customers” have been impacted by this that they are aware of. Meaning that there could be way more who are impacted and either don’t know that they have been pwned, or haven’t told Ivanti that they got pwned.

That’s not good.

What’s even worse is that patches for the two vulnerabilities will be released on a staggered basis starting the week of January 22 and running through mid-February. But companies should follow their mitigation guidance in the meantime. Plus the U.S. cybersecurity agency CISA has also published an advisory on this. But you have to ask why Ivanti is waiting to roll out patches for what is clearly a today problem? I don’t know and the company won’t say. That has to be a major concern and perhaps push you to look at some other VPN or remote access solution.

 Ivanti is urging users of its end-point security product to patch a critical vulnerability that makes it possible for unauthenticated attackers to execute malicious code via all supported versions of Ivanti Endpoint Manager. You can find out all the details here, but here’s the TL:DR:

As part of our ongoing strengthening of the security of our products, we have discovered a new vulnerability in Ivanti EPM. We are reporting this vulnerability as CVE-2023-39336. We have no indication that customers have been impacted by this vulnerability.

This vulnerability impacts all supported versions of the product, and the issue has been resolved in Ivanti EPM 2022 Service Update 5.

If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication. This can then allow the attacker control over machines running the EPM agent. When the core server is configured to use SQL express, this might lead to RCE on the core server.

Upon learning of the vulnerability, we immediately mobilized resources to fix the problem and have a fix available now for all supported versions. More detailed information is available in this Security Advisory.

ARS Technica took a deep dive into this vulnerability, and based on what they’ve seen, this vulnerability is as bad as it gets. I encourage you to read the article as the severity of this will send chills down your spine. In the meantime, you need to get about patching your Ivanti Endpoint Manager instances ASAP. Because now that this is out there, you can bet that threat actors are actively exploring ways to exploit this to pwn you.

A new study by Ivanti and others found ransomware operators used a total of 344 unique vulns in attacks in 2022, an increase of 56 over the prior year. A full 76% of all vulnerabilities were from 2019 or older. The oldest vulnerabilities found were RCE bugs in *Oracle products from 2012.

Top Findings for 2022

• Kill chains impact more IT products: A complete MITRE ATT&CK now exists for 57 vulnerabilities associated with ransomware. Ransomware groups can use kill chains to exploit vulnerabilities that span 81 unique products.
• Scanners are not detecting all threats: Popular scanners do not detect 20 vulnerabilities associated with ransomware.
• Multiple software products are affected by open-source issues: Reusing open-source code in software products replicates vulnerabilities, such as the one found in Apache Log4i. For example, CVE-2021-45046, an Apache Log4j vulnerability, is present in 93 products from 16 vendors and is exploited by AvosLocker ransomware. Another Apache Log4j vulnerability, CVE-2021-45105, is present in 128 products from 11 vendors and is also exploited by AvosLocker ransomware.
• Old is still gold for ransomware operators: More than 76% of vulnerabilities still being exploited by ransomware were discovered between 2010 and 2019. In 2022, of the 56 vulnerabilities tied to ransomware, 20 were discovered between 2015 and 2019.

David Maynor, Senior Director of Threat Intelligence at Cybrary:

   “As a person who has done both offense and defense security work I am not surprised by these statistics. There is a public perception these groups are Wizard level hackers but in reality they rely on organizational sprawl for attacks. 

   “Scanners have never detected all exploitable threats. It’s just not possible. One of the reasons is that vendors like Oracle have had a hostile relationship with external security companies since the beginning of this century. In fact, *Oracle’s CSO Mary Ann Davidson wrote a scathing blogpost in 2015 about how people who find vulnerabilities in Oracle’s products should not tell the company about it. The post has been removed but was covered by Wired here: https://www.wired.com/2015/08/oracle-deletes-csos-screed-hackers-report-bugs/

   “CVSS scores do mask vulnerability severity or at least how companies use it for risk detection and mitigation. I have seen companies set SLAs on producing threat intel reports based solely on the CVSS score. Because the reports are generally generated by regurgitating versions of other people’s reports and not hands on testing, the Threat Intel manager won’t push back. This report from Ivanti highlights the typical misuse of Threat Intel since actual ransomware attacks are coming from old or lower risk attacks being chained together. CVSS is not designed to evaluate an exploits value to a actors kill chain. While the CVSS has been updated over the years it remains an example of early 2000s thinking being used to make threat intelligence and risk decisions in 2023.”

   “This is why training a team to be able to do hands on research and testing in an org’s environment is extremely important. No scanner detects all the flaws, no vendor gets every patch right, so a layered defense being driven by a well-trained security team is the best way to de-risk your operations.”

Given that ransomware attacks have huge costs, I’d be looking at Mr. Maynor’s advice as well as reading this report and forming a game plan to make sure that old vulnerabilities don’t come back to haunt you.