Ivanti Endpoint Manager Mobile contains a code injection flaw that permits attackers to inject arbitrary code and execute it without authentication. The vulnerability is identified as CWE‑94, which signifies that the software fails to properly validate or sanitize input before using it in a code context. Because the flaw allows unauthenticated users to run code, a compromised client or forged request could lead to full system compromise, data theft, or further lateral movement within the network.

The affected product is Ivanti Endpoint Manager Mobile. Specific affected versions are not listed in the information provided, so all deployments of this product should be considered vulnerable until confirmed otherwise.

The CVSS score of 9.8 signifies critical severity, and an EPSS score of approximately 0.7% indicates an extremely low probability of exploitation in general populations. The vulnerability is also included in CISA’s Known Exploited Vulnerabilities catalog, confirming that active exploitation has been observed. Based on the description, the attack vector is inferred to be through the mobile endpoint, likely via in‑app requests or API calls, and does not require prior authentication. An attacker can exploit the flaw by sending a crafted payload that is executed on the server, leading to remote code execution and full compromise of the affected system.