CVE-2025-10985 is an OS command injection vulnerability identified in the admin panel of Ivanti Endpoint Manager Mobile (EPMM), a widely used enterprise mobile device management solution. The vulnerability arises due to improper neutralization of special elements in OS commands (CWE-78), allowing crafted input to be executed as arbitrary operating system commands. This flaw affects versions prior to 12.6.0.2, 12.5.0.4, and 12.4.0.4. An attacker must have remote authenticated access with administrative privileges to exploit this vulnerability, which does not require any user interaction beyond authentication. Successful exploitation enables remote code execution (RCE) on the underlying server hosting the admin panel, potentially allowing the attacker to take full control of the system, manipulate data, disrupt services, or pivot to other network resources. The vulnerability has a CVSS v3.1 base score of 7.2, indicating high severity with network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. Although no public exploits are known at this time, the presence of admin-level access as a prerequisite means that compromised credentials or insider threats could facilitate exploitation. The lack of available patches at the time of disclosure necessitates immediate risk mitigation measures. Given Ivanti EPMM's role in managing mobile endpoints, exploitation could impact device security policies and enterprise mobility management, amplifying the risk to organizational security posture.

For European organizations, this vulnerability poses a significant risk due to the potential for remote code execution on critical mobile device management infrastructure. Compromise of the Ivanti EPMM admin panel could lead to unauthorized access to sensitive corporate mobile endpoints, data leakage, disruption of mobile device management services, and lateral movement within enterprise networks. Organizations in sectors such as finance, healthcare, government, and critical infrastructure that rely heavily on mobile device management are particularly vulnerable. The breach of confidentiality, integrity, and availability could result in regulatory non-compliance under GDPR, financial losses, reputational damage, and operational downtime. Since exploitation requires admin credentials, the threat is heightened in environments with weak credential management or insufficient access controls. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits post-disclosure. The impact extends beyond the compromised server to the managed mobile devices and connected enterprise systems, potentially enabling widespread compromise.

European organizations should immediately verify their Ivanti Endpoint Manager Mobile versions and plan upgrades to versions 12.6.0.2, 12.5.0.4, or 12.4.0.4 once patches are available. Until patches are applied, restrict administrative access to the EPMM admin panel using network segmentation, VPNs, or zero-trust access controls to limit exposure. Enforce strong multi-factor authentication (MFA) for all admin accounts to reduce the risk of credential compromise. Conduct thorough audits of admin account usage and monitor logs for suspicious activity indicative of attempted exploitation. Implement strict input validation and command sanitization policies where possible in custom integrations or scripts interacting with the EPMM. Regularly update and rotate admin credentials and employ privileged access management (PAM) solutions to control and monitor elevated access. Prepare incident response plans specifically addressing potential EPMM compromise scenarios. Engage with Ivanti support and subscribe to their security advisories for timely updates and patches. Finally, conduct penetration testing and vulnerability assessments focused on the EPMM environment to identify and remediate any related weaknesses.