The flaw is a classic OS command injection (CWE‑78) that allows a remote authenticated attacker to run arbitrary commands with root privileges on Ivanti Endpoint Manager Mobile servers. By sending specially crafted input, the attacker can supply operating‑system commands that are executed by the system without proper validation, based on the description it is inferred that this can compromise confidentiality, integrity, and availability of the target system.

Ivanti Endpoint Manager Mobile (EPMM) prior to version 12.9.0.1, 12.8.0.3, and 12.7.0.2 are affected. Based on the description, it is inferred that these releases lack the necessary input sanitization that is required to prevent the injection.

The CVSS score of 7.2 indicates a high severity vulnerability. Based on the description, it is inferred that because the attack requires authentication, the threat is limited to users who have legitimate access to the EPMM console; however, compromised credentials or phishing could enable exploitation. The EPSS score of approximately 1.7% (0.01729) indicates a low but non‑zero likelihood of exploitation, and the vulnerability has not yet been listed in CISA’s Known Exploited Vulnerabilities catalog, so there is no evidence of active exploitation. Proper network segmentation and least‑privilege policies can reduce the likelihood of successful attack, but the potential impact remains significant.