CVE-2025-10243 Overview
CVE-2025-10243 is an OS command injection vulnerability [CWE-78] in the admin panel of Ivanti Endpoint Manager Mobile (EPMM). The flaw affects EPMM versions prior to 12.6.0.2, 12.5.0.4, and 12.4.0.4. A remote authenticated attacker with administrative privileges can inject operating system commands and achieve remote code execution on the underlying host. Ivanti published the issue on October 14, 2025, in its October 2025 security advisory. The EPSS score is 21.105% with a 97.251 percentile, indicating elevated exploitation likelihood relative to other CVEs.
Critical Impact
Authenticated administrators can execute arbitrary OS commands on Ivanti EPMM servers, leading to full compromise of the mobile device management infrastructure.
Affected Products
- Ivanti Endpoint Manager Mobile versions prior to 12.6.0.2
- Ivanti Endpoint Manager Mobile versions prior to 12.5.0.4
- Ivanti Endpoint Manager Mobile versions prior to 12.4.0.4
Discovery Timeline
- 2025-10-14 - CVE-2025-10243 published to NVD and disclosed in the Ivanti October 2025 security advisory
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-10243
Vulnerability Analysis
The vulnerability is an OS command injection flaw [CWE-78] in the EPMM administrative panel. EPMM is Ivanti's mobile device management platform used by enterprises to provision, monitor, and secure mobile endpoints. Input supplied through admin panel functionality is passed to an underlying OS command interpreter without sufficient sanitization. An authenticated administrator can append shell metacharacters or chained commands to attacker-controlled parameters. The injected commands execute with the privileges of the EPMM service account on the server. Successful exploitation results in full remote code execution, providing access to managed device data, enrollment certificates, and configuration secrets.
Root Cause
The root cause is improper neutralization of special elements used in an OS command. Administrative input flows into a system command construction routine without parameterization or strict allow-list validation. Shell metacharacters such as ;, |, &, and backticks are not filtered before the command is executed by the underlying shell.
Attack Vector
Exploitation requires network access to the EPMM admin panel and valid administrative credentials. The attacker submits a crafted request to an affected admin endpoint, embedding shell commands within a vulnerable parameter. The EPMM application invokes a shell with the concatenated input, executing the injected commands. Because exploitation is post-authentication, the practical attack surface includes credential theft, insider threat, and chaining with authentication bypass vulnerabilities disclosed in the same advisory.
No verified public exploit code is available. See the Ivanti Security Advisory for vendor technical detail.
Detection Methods for CVE-2025-10243
Indicators of Compromise
- Unexpected child processes spawned by the EPMM Java or Tomcat process, such as sh, bash, nc, curl, or wget.
- Outbound network connections from the EPMM server to untrusted external hosts shortly after admin panel activity.
- New or modified files in EPMM web application directories, including unrecognized scripts or webshells.
- Admin panel access from unusual source IP addresses or outside normal change-management windows.
Detection Strategies
- Monitor EPMM application and access logs for admin requests containing shell metacharacters (;, |, &, `, $()).
- Alert on process lineage where the EPMM service account launches shell interpreters or system utilities.
- Correlate administrative authentication events with subsequent process creation on the EPMM host.
Monitoring Recommendations
- Forward EPMM application, audit, and OS-level process telemetry to a centralized SIEM or data lake.
- Baseline normal administrator workflows to surface anomalous command sequences or off-hours activity.
- Track failed and successful logins to the admin panel and flag privilege changes on EPMM accounts.
How to Mitigate CVE-2025-10243
Immediate Actions Required
- Upgrade Ivanti EPMM to version 12.6.0.2, 12.5.0.4, or 12.4.0.4 or later, depending on the deployed branch.
- Restrict admin panel access to trusted management networks using firewall or VPN controls.
- Audit EPMM administrator accounts and revoke unused or stale privileged credentials.
- Enforce multi-factor authentication for all EPMM administrative logins.
Patch Information
Ivanti has released fixed builds in versions 12.6.0.2, 12.5.0.4, and 12.4.0.4. Apply the appropriate update for your maintenance branch as described in the Ivanti Security Advisory.
Workarounds
- Limit network exposure of the admin panel to a dedicated management VLAN or jump host.
- Rotate administrative credentials and review recent admin activity for signs of misuse.
- Apply least privilege to EPMM operator roles to reduce the number of accounts capable of triggering the vulnerable functionality.
# Example: restrict admin panel access at the network layer
# Replace 10.0.0.0/24 with your trusted management subnet
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
