CVE-2025-10985 Overview
CVE-2025-10985 is an operating system (OS) command injection vulnerability in the admin panel of Ivanti Endpoint Manager Mobile (EPMM). The flaw affects EPMM versions before 12.6.0.2, 12.5.0.4, and 12.4.0.4. A remote authenticated attacker holding administrative privileges can inject shell commands through the admin interface and achieve remote code execution on the underlying host. The issue is tracked under CWE-78, Improper Neutralization of Special Elements used in an OS Command. Ivanti published mitigation guidance in the Ivanti Security Advisory.
Critical Impact
An authenticated administrator can execute arbitrary commands on the EPMM server, leading to full compromise of mobile device management infrastructure and downstream enrolled devices.
Affected Products
- Ivanti Endpoint Manager Mobile prior to 12.6.0.2
- Ivanti Endpoint Manager Mobile prior to 12.5.0.4
- Ivanti Endpoint Manager Mobile prior to 12.4.0.4
Discovery Timeline
- 2025-10-14 - CVE-2025-10985 published to the National Vulnerability Database
- 2025-10-15 - Last updated in NVD database
Technical Details for CVE-2025-10985
Vulnerability Analysis
The vulnerability resides in the EPMM administrative panel, where user-supplied input is passed to an OS command interpreter without sufficient sanitization. An attacker who has already authenticated with admin privileges can append shell metacharacters or chained commands to a parameter the application later evaluates in a system shell. The result is command execution under the privileges of the EPMM web service account on the appliance.
EPMM is deployed as a mobile device management (MDM) platform that holds device inventory, certificates, configuration profiles, and credentials. Code execution on the appliance therefore exposes secrets used to push policy to enrolled endpoints. The exploitation prerequisite of administrative authentication limits opportunistic attacks but does not protect against insider misuse, credential theft, or chaining with separate authentication weaknesses.
Root Cause
The root cause is improper neutralization of special elements in input that reaches an OS command construct (CWE-78). The admin panel concatenates attacker-controlled values into a shell command string rather than using parameterized process execution APIs or strict allow-list validation.
Attack Vector
The attack is network-reachable and requires high privileges with no user interaction. An authenticated administrator submits a crafted request to a vulnerable admin endpoint, embedding shell separators such as ;, |, &&, or backticks within an affected parameter. The injected payload executes when the backend invokes the system shell.
No public proof-of-concept exploit code is available at the time of writing. The EPSS score is approximately 21.1% (97th percentile), indicating elevated likelihood of exploitation activity emerging.
Detection Methods for CVE-2025-10985
Indicators of Compromise
- Unexpected child processes spawned by the EPMM Tomcat or Java service account, particularly sh, bash, nc, curl, wget, or python.
- Outbound network connections from the EPMM appliance to unfamiliar hosts shortly after admin panel activity.
- New cron entries, SSH authorized keys, or files written to writable directories such as /tmp or the EPMM application directories.
Detection Strategies
- Monitor EPMM application logs and web access logs for administrative requests containing shell metacharacters (;, |, &, `, $() in parameter values.
- Correlate admin panel POST requests with process creation events on the host using endpoint telemetry.
- Alert on any process lineage where the EPMM Java process is the parent of a shell interpreter.
Monitoring Recommendations
- Forward EPMM audit logs, syslog, and host process telemetry to a centralized SIEM for retention and correlation.
- Track administrator login events, source IPs, and session durations, and flag logins from unexpected geolocations or service accounts.
- Baseline normal outbound traffic from the EPMM appliance and alert on deviations.
How to Mitigate CVE-2025-10985
Immediate Actions Required
- Upgrade Ivanti EPMM to 12.6.0.2, 12.5.0.4, or 12.4.0.4 or later as documented in the vendor advisory.
- Restrict access to the EPMM admin panel to a management VLAN, VPN, or jump host, and block direct internet exposure.
- Rotate administrator credentials and review the admin account list to remove unused or shared accounts.
Patch Information
Ivanti has released fixed versions 12.6.0.2, 12.5.0.4, and 12.4.0.4. Refer to the Ivanti Security Advisory for upgrade paths, release notes, and additional CVEs addressed in the same bulletin.
Workarounds
- Enforce multi-factor authentication for all administrative EPMM accounts to reduce the risk of credential-based exploitation.
- Limit admin panel reachability with network access control lists and host-based firewall rules until patches are deployed.
- Audit recent admin actions and configuration changes to identify any signs of pre-patch abuse.
# Example: restrict EPMM admin panel access to a management subnet using iptables
iptables -A INPUT -p tcp --dport 443 -s 10.10.20.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
