CVE-2025-6771
published 2025-07-08CVE-2025-6771: OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high…
PriorityP261high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
14.81%
96.3th percentile
OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high privileges to achieve remote code execution
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ivanti | endpoint_manager_mobile | < 12.3.0.3 | 12.3.0.3 |
| ivanti | endpoint_manager_mobile | >= 12.4.0.0 < 12.4.0.3 | 12.4.0.3 |
| ivanti | endpoint_manager_mobile | >= 12.5.0.0 < 12.5.0.2 | 12.5.0.2 |
Detection & IOCsextracted from sources · hover to see the quote
url/api/ssh/config/upload
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti EPMM Authenticated OS Command Injection (CVE-2025-6771)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/ssh/config/upload"; fast_pattern; startswith; http.request_body; content:"ssh|2d|"; pcre:"/^[^\x0d\x0a]*?[\x3b\x26\x60\x7c\x24]/R"; reference:url,x.com/watchtowrcyber/status/1945488508820590704; reference:cve,2025-6771; classtype:web-application-attack; sid:2063559; rev:1; metadata:affected_product Ivanti, attack_target Server, created_at 2025_07_18, cve CVE_2025_6771, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_07_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
bytes
ssh- (hex: ssh|2d|) in HTTP POST request body
bytes
Shell metacharacters (;, &, `, |, $) following ssh- prefix in POST body — pcre: /^[^\x0d\x0a]*?[\x3b\x26\x60\x7c\x24]/R
- →Exploit traffic uses HTTP POST method exclusively to the vulnerable endpoint.
- →The injection payload begins with 'ssh-' (hex: ssh|2d|) in the request body, followed by OS command injection metacharacters (;, &, `, |, $). Detections should look for this pattern in the POST body.
- →Attack is classified under MITRE ATT&CK T1190 (Exploit Public-Facing Application), tactic TA0001 (Initial Access). Monitor perimeter and internal HTTP traffic to Ivanti EPMM servers.
- →Attacker must be remotely authenticated with high privileges; correlate exploit attempts with prior privileged authentication events to the EPMM management interface. ↗
- ·Vulnerable versions are EPMM before 12.5.0.2, 12.4.0.3, and 12.3.0.3. Ensure version checks in detection rules or asset inventory target only these affected branches. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ivanti
Ivanti Security Advisory: CVE-2025-6771
vendor_ivanti·2025-07-08·CVSS 7.2
CVE-2025-6771 [HIGH] CWE-78 Ivanti Security Advisory: CVE-2025-6771
Ivanti Security Advisory: CVE-2025-6771
OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high privileges to achieve remote code execution
CVE IDs: CVE-2025-6771
CVSS Base Score: 7.2
Severity: HIGH
CWEs: CWE-78
GHSA
GHSA-7wj2-2568-6h6v: OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12
ghsa_unreviewed·2025-07-08
CVE-2025-6771 [HIGH] CWE-78 GHSA-7wj2-2568-6h6v: OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12
OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high privileges to achieve remote code execution
Suricata
ET WEB_SPECIFIC_APPS Ivanti EPMM Authenticated OS Command Injection (CVE-2025-6771)
suricata·2025-07-18·CVSS 7.2
CVE-2025-6771 [HIGH] ET WEB_SPECIFIC_APPS Ivanti EPMM Authenticated OS Command Injection (CVE-2025-6771)
ET WEB_SPECIFIC_APPS Ivanti EPMM Authenticated OS Command Injection (CVE-2025-6771)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Ivanti EPMM Authenticated OS Command Injection (CVE-2025-6771)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/api/ssh/config/upload"; fast_pattern; startswith; http.request_body; content:"ssh|2d|"; pcre:"/^[^\x0d\x0a]*?[\x3b\x26\x60\x7c\x24]/R"; reference:url,x.com/watchtowrcyber/status/1945488508820590704; reference:cve,2025-6771; classtype:web-application-attack; sid:2063559; rev:1; metadata:affected_product Ivanti, attack_target Server, created_at 2025_07_18, cve CVE_2025_6771, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, updated_at 2025_07_18, mitre_
No public exploits indexed.
No writeups or analysis indexed.
2025-07-08
Published