CVE-2025-10985 is an OS command injection vulnerability identified in the admin panel of Ivanti Endpoint Manager Mobile (EPMM) versions prior to 12.6.0.2, 12.5.0.4, and 12.4.0.4. The flaw arises from improper neutralization of special characters in OS commands (CWE-78), allowing a remote attacker who has authenticated admin privileges to inject and execute arbitrary operating system commands on the underlying server. This vulnerability does not require user interaction but does require high-level privileges, meaning the attacker must already have admin access to the EPMM console. Successful exploitation results in remote code execution (RCE), potentially compromising the confidentiality, integrity, and availability of the system and connected managed devices. The CVSS v3.1 base score is 7.2, reflecting high severity due to network exploitability, low attack complexity, and high impact on all security properties. Ivanti has reserved the CVE and published the vulnerability details, but no public exploits or patches are currently available at the time of this report. The vulnerability affects organizations relying on Ivanti EPMM for mobile device management, which is widely used in enterprise environments to manage and secure mobile endpoints. Attackers leveraging this vulnerability could gain control over the management infrastructure, potentially leading to widespread compromise of managed devices and sensitive corporate data.

The impact of CVE-2025-10985 is significant for organizations using Ivanti Endpoint Manager Mobile as it enables remote code execution with admin privileges on the management server. This can lead to full system compromise, unauthorized access to sensitive data, disruption of mobile device management operations, and potential lateral movement within the corporate network. The compromise of the EPMM server could allow attackers to manipulate device configurations, deploy malicious payloads to managed devices, or exfiltrate confidential information. Given the central role of EPMM in enterprise mobile security, exploitation could severely undermine organizational security posture, disrupt business continuity, and result in regulatory compliance violations. Although exploitation requires admin authentication, insider threats or credential compromise scenarios increase the risk. The absence of known exploits in the wild currently reduces immediate risk but does not diminish the critical need for remediation.

To mitigate CVE-2025-10985, organizations should: 1) Monitor Ivanti’s official channels for the release of security patches for versions prior to 12.6.0.2, 12.5.0.4, and 12.4.0.4 and apply them promptly once available. 2) Restrict administrative access to the EPMM console using strong authentication mechanisms such as multi-factor authentication (MFA) and limit admin privileges to only necessary personnel. 3) Implement network segmentation and firewall rules to restrict access to the EPMM admin interface to trusted IP addresses. 4) Conduct regular audits of admin accounts and monitor logs for unusual command execution or access patterns indicative of exploitation attempts. 5) Employ application-layer firewalls or intrusion detection/prevention systems (IDS/IPS) capable of detecting command injection attempts. 6) Educate administrators on secure credential management to reduce the risk of credential compromise. 7) Consider deploying endpoint detection and response (EDR) solutions on the management server to detect anomalous behavior. These measures combined will reduce the attack surface and improve detection and response capabilities until patches are applied.