CVE-2025-10985 is an OS command injection vulnerability identified in the admin panel of Ivanti Endpoint Manager Mobile (EPMM) versions before 12.6.0.2, 12.5.0.4, and 12.4.0.4. The flaw stems from improper neutralization of special characters in OS commands (CWE-78), allowing a remote attacker who has authenticated admin privileges to inject and execute arbitrary operating system commands on the underlying server hosting the admin panel. This vulnerability enables remote code execution (RCE), which can lead to full compromise of the EPMM server, including unauthorized access to sensitive data, disruption of endpoint management services, and potential lateral movement within the network. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), but demands high privileges (PR:H) and no user interaction (UI:N). The vulnerability impacts confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits are currently known, the presence of authenticated admin access as a prerequisite means that attackers who gain or already possess such credentials can leverage this vulnerability to escalate their control. Ivanti EPMM is widely used for mobile device management (MDM) in enterprise environments, making this vulnerability particularly critical for organizations relying on this product for endpoint security and management.

For European organizations, exploitation of CVE-2025-10985 could result in severe operational disruptions and data breaches. Successful attacks may lead to unauthorized disclosure of sensitive corporate and personal data managed through the EPMM platform, manipulation or deletion of endpoint configurations, and disruption of mobile device management services critical for compliance and security enforcement. This could affect sectors with high reliance on mobile device management such as finance, healthcare, government, and critical infrastructure. The ability to execute arbitrary OS commands remotely with admin privileges could also facilitate deployment of ransomware or other malware, lateral movement within corporate networks, and persistent backdoors. Given the centralized role of EPMM in managing mobile endpoints, the compromise could cascade to affect numerous devices and users, amplifying the impact. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits rapidly once details are public.

European organizations should immediately verify their Ivanti Endpoint Manager Mobile versions and upgrade to 12.6.0.2, 12.5.0.4, or 12.4.0.4 or later where the vulnerability is patched. Until patching is complete, restrict administrative access to the EPMM admin panel using network segmentation, VPNs, and IP whitelisting to limit exposure. Enforce strong multi-factor authentication (MFA) for all admin accounts to reduce the risk of credential compromise. Conduct thorough audits of admin account usage and monitor logs for suspicious activity indicative of attempted exploitation. Implement strict input validation and command sanitization where possible as an additional safeguard. Regularly back up EPMM configurations and endpoint data to enable recovery in case of compromise. Finally, maintain up-to-date threat intelligence feeds and be prepared to respond rapidly to any emerging exploit reports targeting this vulnerability.