CVE-2025-10985
📋 TL;DR
This CVE describes an OS command injection vulnerability in Ivanti EPMM admin panel that allows authenticated administrators to execute arbitrary commands on the underlying system. Attackers with admin credentials can achieve remote code execution, potentially compromising the entire EPMM deployment and connected mobile devices.
💻 Affected Systems
- Ivanti Endpoint Manager Mobile (EPMM)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the EPMM server leading to lateral movement to connected mobile devices, data exfiltration, and persistent backdoor installation across the mobile device fleet.
Likely Case
Attacker gains full control of EPMM server, can deploy malicious configurations to managed mobile devices, and access sensitive organizational data stored in EPMM.
If Mitigated
Limited impact due to network segmentation, strong authentication controls, and admin activity monitoring preventing successful exploitation.
🎯 Exploit Status
Exploitation requires admin credentials but command injection vulnerabilities are typically straightforward to weaponize once discovered.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.6.0.2, 12.5.0.4, or 12.4.0.4 depending on your current version
Vendor Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Endpoint-Manager-Mobile-EPMM-10-2025-Multiple-CVEs?language=en_US
Restart Required: Yes
Instructions:
1. Backup EPMM configuration and database. 2. Download appropriate patch version from Ivanti support portal. 3. Apply patch via EPMM admin interface. 4. Restart EPMM services. 5. Verify successful update in admin panel.
🔧 Temporary Workarounds
Restrict Admin Panel Access
allLimit EPMM admin interface access to trusted IP addresses only
Configure firewall rules to restrict access to EPMM admin port (typically 8443) from authorized management networks only
Implement Multi-Factor Authentication
allRequire MFA for all EPMM admin accounts
Configure EPMM to require MFA for admin login via Settings > Authentication > Multi-Factor Authentication
🧯 If You Can't Patch
- Implement strict network segmentation to isolate EPMM server from critical systems
- Enable detailed logging and monitoring of all admin panel activities and command execution
🔍 How to Verify
Check if Vulnerable:
Check EPMM version in admin panel under Settings > About. If version is below 12.6.0.2, 12.5.0.4, or 12.4.0.4, system is vulnerable.Check Version:
Login to EPMM admin panel and navigate to Settings > About to view versionVerify Fix Applied:
After patching, verify version shows 12.6.0.2, 12.5.0.4, or 12.4.0.4 in admin panel. Test admin functionality remains operational.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns in EPMM logs
- Multiple failed admin login attempts followed by successful login
- Unexpected system commands executed from EPMM processes
Network Indicators:
- Unusual outbound connections from EPMM server
- Traffic to unexpected ports from EPMM admin interface
SIEM Query:
source="epmm" AND (event_type="command_execution" OR event_type="admin_login") | stats count by user, command