How ZeroPath Works
Back to Blog

Ivanti EPMM CVE-2025-10243: Brief Summary of OS Command Injection in Admin Panel

This post provides a brief summary of CVE-2025-10243, an OS command injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) admin panel affecting versions before 12.6.0.2, 12.5.0.4, and 12.4.0.4. The vulnerability allows remote code execution by authenticated admin users. Includes technical details, affected versions, and vendor security history.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-14

Ivanti EPMM CVE-2025-10243: Brief Summary of OS Command Injection in Admin Panel
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Remote code execution through a trusted management interface can undermine the security of thousands of managed devices in an enterprise. CVE-2025-10243 demonstrates this risk in Ivanti Endpoint Manager Mobile (EPMM), where a flaw in the admin panel exposes organizations to OS command injection by authenticated admin users.

Ivanti is a leading vendor in endpoint and mobile device management, with EPMM widely deployed in healthcare, finance, government, and other critical sectors. The platform's central role in device policy enforcement and configuration makes vulnerabilities in its admin interface particularly impactful.

Technical Information

CVE-2025-10243 is an OS command injection vulnerability classified under CWE-78. The flaw exists in the admin panel of Ivanti Endpoint Manager Mobile (EPMM) prior to versions 12.6.0.2, 12.5.0.4, and 12.4.0.4. An authenticated attacker with admin privileges can supply crafted input to administrative functions, resulting in arbitrary operating system commands being executed by the backend with the privileges of the EPMM application.

The root cause is insufficient input validation in one or more admin panel features that pass user-supplied data to OS command execution routines. This allows attackers to inject shell metacharacters and additional commands. Exploitation requires valid admin credentials, but once authenticated, the attack complexity is low. There are no public code snippets or detailed vulnerable parameter names available as of this writing.

Affected Systems and Versions

  • Ivanti Endpoint Manager Mobile (EPMM) admin panel
  • Versions prior to 12.6.0.2
  • Versions prior to 12.5.0.4
  • Versions prior to 12.4.0.4

Only on-premises EPMM deployments are affected. Ivanti Neurons for MDM (cloud-based) and other Ivanti products are not impacted.

Vendor Security History

Ivanti has experienced multiple high severity vulnerabilities in EPMM and related products throughout 2024 and 2025. Notably, CVE-2025-4427 and CVE-2025-4428 (also OS command injection flaws) were actively exploited by advanced threat actors, including China-nexus groups. The company has improved its patch response cadence, but recurring input validation issues remain a concern.

References

Detect & fix
what others miss

Get startedBook a demo