How ZeroPath Works
Back to Blog

Ivanti EPMM CVE-2025-10242 OS Command Injection: Brief Summary and Technical Review

This post provides a brief summary and technical review of CVE-2025-10242, an OS command injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) admin panel affecting versions before 12.6.0.2, 12.5.0.4, and 12.4.0.4. The vulnerability allows remote authenticated attackers with admin privileges to achieve remote code execution. Patch information and affected version details are included.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-14

Ivanti EPMM CVE-2025-10242 OS Command Injection: Brief Summary and Technical Review
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Remote code execution through a mobile device management platform's admin panel can expose every managed device in an enterprise. CVE-2025-10242 in Ivanti Endpoint Manager Mobile (EPMM) is a recent example, allowing authenticated admin users to inject arbitrary operating system commands and take full control of the EPMM server.

Ivanti is a major vendor in the unified endpoint management space, with EPMM widely used by enterprises to manage and secure mobile devices at scale. The platform is critical infrastructure for organizations in healthcare, finance, government, and other sectors where mobile device security is essential.

Technical Information

CVE-2025-10242 is an OS command injection vulnerability categorized under CWE-78. The flaw exists in the admin panel of Ivanti EPMM, where user input is not properly sanitized before being passed to operating system command execution functions. An attacker with valid admin credentials can craft input that injects arbitrary OS commands, which are then executed with the privileges of the EPMM application process.

The vulnerability is only exploitable by authenticated users with admin privileges. There are no public details about the specific injection point or the parameters affected. No public code snippets or proof of concept have been released. The vulnerability affects EPMM versions prior to 12.6.0.2, 12.5.0.4, and 12.4.0.4.

Affected Systems and Versions

The following versions of Ivanti Endpoint Manager Mobile (EPMM) are affected:

  • All versions prior to 12.6.0.2
  • All versions prior to 12.5.0.4
  • All versions prior to 12.4.0.4

Any EPMM deployment running one of these versions is vulnerable if an attacker can authenticate as an admin user. The vulnerability is present in the admin panel component.

Vendor Security History

Ivanti has experienced several critical vulnerabilities in its EPMM and other endpoint management products in recent years. Notably, CVE-2025-4427 and CVE-2025-4428 were exploited in the wild by advanced threat actors, including UNC5221. The company's patch response has sometimes been criticized for delays, and the recurring pattern of high-severity vulnerabilities points to ongoing challenges in secure development and supply chain management.

References

Detect & fix
what others miss

Get startedBook a demo