Introduction
Remote code execution on a mobile device management server can lead to compromise of thousands of managed endpoints, credential theft, and lateral movement across enterprise networks. In October 2025, a high severity OS command injection vulnerability was disclosed in Ivanti Endpoint Manager Mobile (EPMM), affecting organizations in sectors such as healthcare, finance, government, and telecommunications.
Ivanti is a major vendor in the unified endpoint management and security market, with a global customer base and a portfolio that includes EPMM, Connect Secure, and Policy Secure. The company’s products are widely deployed to manage and secure mobile devices, making vulnerabilities in these platforms highly impactful for enterprise security.
Technical Information
CVE-2025-10985 is an OS command injection vulnerability in the admin panel of Ivanti Endpoint Manager Mobile (EPMM). The flaw affects versions prior to 12.6.0.2, 12.5.0.4, and 12.4.0.4. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command).
The vulnerability allows a remote authenticated attacker with admin privileges to supply specially crafted input to the EPMM admin panel. This input is then incorporated into operating system command execution contexts without proper sanitization or input validation. As a result, the attacker can execute arbitrary OS commands with the privileges of the EPMM application. This can lead to full system compromise, data exfiltration, or further lateral movement.
The root cause is insufficient input validation and sanitization in code paths that construct OS commands using user-supplied data. The issue is not isolated: Ivanti’s October 2025 advisory disclosed multiple similar OS command injection vulnerabilities in the same admin panel, indicating systemic weaknesses in input handling and secure coding practices. No public code snippets are available for this vulnerability.
Affected Systems and Versions
- Ivanti Endpoint Manager Mobile (EPMM) admin panel
- Affected versions: All versions prior to 12.6.0.2, 12.5.0.4, and 12.4.0.4
- Only systems where an attacker can obtain admin-level authenticated access are vulnerable
Vendor Security History
Ivanti has experienced multiple high-profile vulnerabilities across its product lines in 2024 and 2025. Notable incidents include:
- Zero-day exploits in Ivanti Connect Secure and Policy Secure appliances (CVE-2023-46805, CVE-2024-21887, CVE-2025-0282, CVE-2025-0283)
- Active exploitation of EPMM vulnerabilities in May 2025 (CVE-2025-4427, CVE-2025-4428)
- Clustering of similar OS command injection and path traversal vulnerabilities in EPMM admin panel code
Ivanti’s patch response has varied, with some delays noted in past incidents. The vendor has publicly committed to improving its security posture and transparency, but the repeated appearance of similar vulnerabilities indicates ongoing challenges with secure development and input validation.