cbcvebase.
CVE-2025-6771
published 2025-07-08

CVE-2025-6771: OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high…

PriorityP261high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
14.81%
96.3th percentile
OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high privileges to achieve remote code execution

Affected

3 ranges
VendorProductVersion rangeFixed in
ivantiendpoint_manager_mobile< 12.3.0.312.3.0.3
ivantiendpoint_manager_mobile>= 12.4.0.0 < 12.4.0.312.4.0.3
ivantiendpoint_manager_mobile>= 12.5.0.0 < 12.5.0.212.5.0.2

Detection & IOCsextracted from sources · hover to see the quote

url/api/ssh/config/upload
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti EPMM Authenticated OS Command Injection (CVE-2025-6771)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/ssh/config/upload"; fast_pattern; startswith; http.request_body; content:"ssh|2d|"; pcre:"/^[^\x0d\x0a]*?[\x3b\x26\x60\x7c\x24]/R"; reference:url,x.com/watchtowrcyber/status/1945488508820590704; reference:cve,2025-6771; classtype:web-application-attack; sid:2063559; rev:1; metadata:affected_product Ivanti, attack_target Server, created_at 2025_07_18, cve CVE_2025_6771, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_07_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
ssh- (hex: ssh|2d|) in HTTP POST request body
bytes
Shell metacharacters (;, &, `, |, $) following ssh- prefix in POST body — pcre: /^[^\x0d\x0a]*?[\x3b\x26\x60\x7c\x24]/R
  • Exploit traffic uses HTTP POST method exclusively to the vulnerable endpoint.
  • The injection payload begins with 'ssh-' (hex: ssh|2d|) in the request body, followed by OS command injection metacharacters (;, &, `, |, $). Detections should look for this pattern in the POST body.
  • Attack is classified under MITRE ATT&CK T1190 (Exploit Public-Facing Application), tactic TA0001 (Initial Access). Monitor perimeter and internal HTTP traffic to Ivanti EPMM servers.
  • Attacker must be remotely authenticated with high privileges; correlate exploit attempts with prior privileged authentication events to the EPMM management interface.
  • ·Vulnerable versions are EPMM before 12.5.0.2, 12.4.0.3, and 12.3.0.3. Ensure version checks in detection rules or asset inventory target only these affected branches.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.