CVE-2025-6770
📛 CVE Title
OS command injection in Ivanti Endpoint Manager
Description
OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2 allows a remote authenticated attacker with high privileges to achieve remote code execution
Overview
- State
- PUBLISHED
- Assigner (CNA)
- ivanti
- CVSS severity
- HIGH
- CVSS score
- 7.2 / 10
- CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H- Effective score
- 7.2 / 10 HIGH source: CNA overview
- CWE(s)
-
CWE-78 - Reserved
- 2025-06-27
- Published
- 2025-07-08 17:02 UTC
- Last updated
- 2025-07-08 22:38 UTC
- Source
- https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2025/6xxx/CVE-2025-6770.json
- Linked Threat
- CVE-2025-6770 — OS command injection in Ivanti Endpoint Manager
NVD triage scoring NVD CVE 2.0
Layer NVD adds on top of the CNA's CVE record — published / last-modified timestamps, exploitability / impact subscores, and the FIRST.org EPSS probability that this CVE will be exploited in the wild in the next 30 days.
- NVD published
- 2025-07-08 15:15:33 UTC
- NVD last modified
- 2025-07-11 17:29:21 UTC
- NVD CVSS v3.1
- 7.2 / 10 HIGH source: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
- NVD CVSS vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H- Exploitability subscore
- 1.2 / 10
- Impact subscore
- 5.9 / 10
- EPSS score
- 0.1504 (probability of exploitation in next 30 days)
- EPSS percentile
- 94.66% vs all CVEs — higher = more likely to be exploited, as of 2026-05-25
NVD / KEV / EPSS data refreshed 2026-05-25 22:23 UTC. Re-run the 🛰 Backfill from NVD button above to refresh.
European Union Vulnerability Database ENISA EUVD
ENISA's official EU repository for curated vulnerability intelligence. Carries a separate identifier (EUVD-YYYY-NNNN) and frequently exposes an earlier-published description + CVSS than NVD does.
- EUVD ID
-
EUVD-2025-20508 - Assigner
- ivanti
- Published
- Jul 8, 2025, 3:02:57 PM
- Updated
- Jul 8, 2025, 8:38:57 PM
- EUVD base score (CVSS 3.1)
-
7.2 / 10
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H - EUVD-reported EPSS
- 15.0400
- Vendors
- Ivanti
- Products
-
Endpoint Manager Mobile (patch: 12.5.0.2)
- Aliases
-
GHSA-fc23-p8qq-95qg
ENISA description: OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2 allows a remote authenticated attacker with high privileges to achieve remote code execution
Affected products (1)
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Ivanti | Endpoint Manager Mobile |
12.5.0.2 (unaffected)
|
— |
Affected products — CPE 2.3 (1) NVD
NVD's normalized CPE 2.3 matchers, used by vendor tools (vulnerability scanners, asset managers) for automated detection. Compare with the CNA's free-text "Affected products" section above.
cpe:2.3:a:ivanti:endpoint_manager_mobile:*:*:*:*:*:*:*:*
Remediations (10)
Remediations are stored against the linked Threat row; the list below is deduplicated across both pages.
-
web:dailysecurityreview.com
Chinese threat actors exploit the patched ToolShell vulnerability ( CVE - 2025 -53770) in Microsoft SharePoint, targeting various sectors globally.
2026-05-22 15:24 UTC -
web:nvd.nist.gov
An official website of the United States government Here's how you know
2026-05-22 15:24 UTC -
web:portal.msrc.microsoft.com
The Security Update Guide provides information on the latest Microsoft security updates, helping users understand and address potential vulnerabilities effectively.
2026-05-22 15:24 UTC -
web:securityaffairs.com
Microsoft patched an exploited SharePoint flaw ( CVE - 2025 -53770) and disclosed a new one, warning of ongoing attacks on on-prem servers. Microsoft released emergency SharePoint updates for two zero-day flaws, tracked as CVE - 2025 -53770 and CVE - 2025 -53771, exploited since July 18 in attacks dubbed " ToolShell." Both vulnerabilities only impact on-premises SharePoint Servers, threat actors ...
2026-05-22 15:24 UTC -
web:www.bleepingcomputer.com
Critical zero-day vulnerabilities in Microsoft SharePoint, tracked as CVE - 2025 -53770 and CVE - 2025 -53771, have been actively exploited since at least July 18th, with no patch available and at least ...
2026-05-22 15:24 UTC -
web:www.cisa.gov
. For more information see MAR-251132.c1.v1 Exploitation of SharePoint Vulnerabilities and CISA Releases Malware Analysis Report Associated with Microsoft SharePoint Vulnerabilities. Update (07/31/ 2025 ): CISA has updated this alert to provide clarification on antivirus and endpoint detection and response (EDR) solutions, and details regarding mitigations related to the IIS server. Update (07 ...
2026-05-22 15:24 UTC -
web:www.cve.org
Microsoft is aware that an exploit for CVE - 2025 -53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation.
2026-05-22 15:24 UTC -
web:www.elevenforum.com
Microsoft MSRC: RevisionChangeDate 1.0Information published07/19/25 2.0Clarified affected SharePoint product in summary07/20/25 Added fix availability guidance Provided additional protections guidance regarding: Upgrade SharePoint products to supported versions (if required)...
2026-05-22 15:24 UTC -
web:www.esri.com
Key highlights The ArcGIS Server Security 2025 update 2 is available This patch resolves 10 Medium severity vulnerabilities This security patch is cumulative, and includes fixes provided in the ArcGIS Server Security 2025 update 1.
2026-05-22 15:24 UTC -
web:www.forbes.com
Microsoft has confirmed that SharePoint Server is under mass global attack. Breaking: An emergency patch has now been released — update immediately.
2026-05-22 15:24 UTC
Vendor references (1)
References embedded in the original CVE record by the assigning CNA.
Web references (0)
DuckDuckGo results ranked by threat-intel / vendor advisory domains. Generated by the 🔎 Find references (web) button above — same flow as the Remediations search.
No web references attached yet.
NVD-tagged references (1)
Reference list NVD curates from the CNA record, vendor advisories, and third-party reports. The tag chips below are NVD's analyst-assigned categories.
- https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2025-6770-CVE-2025-6771?language=en_US 3c1d8aa1-5a33-4ea4-8992-aadd6440af75 Vendor Advisory
Indicators (1)
IOCs linked to the auto-promoted Threat row.
| Type | Value | VirusTotal | Attached |
|---|---|---|---|
| ipv4 |
12.5.0.2
|
no local data | 2026-05-18 21:19 UTC |
AI Forensic Analysis
Only Available for Registered Users. Sign in to view.
Raw JSON
The full cvelistV5 record. Download as CVE-2025-6770.json.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6770",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T20:38:42.430761Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T20:38:57.238Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Endpoint Manager Mobile",
"vendor": "Ivanti",
"versions": [
{
"status": "unaffected",
"version": "12.5.0.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2 allows a remote authenticated attacker with high privileges to achieve remote code execution <br>"
}
],
"value": "OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2 allows a remote authenticated attacker with high privileges to achieve remote code execution"
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T15:03:05.502Z",
"orgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"shortName": "ivanti"
},
"references": [
{
"url": "https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2025-6770-CVE-2025-6771?language=en_US"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "OS command injection in Ivanti Endpoint Manager",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"assignerShortName": "ivanti",
"cveId": "CVE-2025-6770",
"datePublished": "2025-07-08T15:02:57.754Z",
"dateReserved": "2025-06-27T09:26:59.888Z",
"dateUpdated": "2025-07-08T20:38:57.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}