Summary

On March 13, Ivanti disclosed two vulnerabilities which a ect their on-premise Endpoint Manager Mobile product: CVE-2025-4427 (an authentication bypass) and CVE-2025-4428 (an authenticated RCE vulnerability). While neither bug is critically severe on its own, with CVSS scores of 5.3 and 7.2, when chained together they provide a route for an unauthenticated remote attacker to execute malicious code on affected EPMM instances. Ivanti has confirmed limited in-the-wild exploitation of these bugs prior to initial disclosure, and multiple external sources including GreyNoise and Wiz have since confirmed ongoing in-the-wild exploitation starting on May 16, roughly coinciding with the public release of proof-of-concept code.

Affected Systems and/or Applications

Ivanti Endpoint Manager Mobile, of the following versions:

• 11.12.0.4 and prior
• 12.3.0.1 and prior
• 12.4.0.1 and prior
• 12.5.0.0 and prior

Technical Details / Attack Overview

Wiz summarizes the bugs’ technical details nicely:

“CVE-2025-4428 is a post-auth remote code execution vulnerability in EPMM’s DeviceFeatureUsageReportQueryRequestValidator. It arises from the unsafe handling of user-supplied input within error messages processed via Spring’s AbstractMessageSource, which allows attacker-controlled EL (Expression Language) injection. A crafted format parameter in the /api/v2/featureusage endpoint results in arbitrary Java code execution, confirmed via command injection (e.g., Runtime.exec()).

CVE-2025-4427 is an authentication bypass caused by improper request handling in EPMM’s route configuration. Routes like /rs/api/v2/featureusage were unintentionally exposed without requiring authentication due to missing <intercept-url> rules in Spring Security configurations. This allows unauthenticated access to the RCE sink, enabling full pre-auth RCE when chained with CVE2025-4428. However, as noted by watchTowr, this is more accurately described as an order-of-operations aw, as validator logic executes before authentication checks.”

Wiz has additionally shared IOCs gathered from one case of interest, the post-exploitation deployment of a Sliver implant:

The C2 IP address still appears to be operational, and based on a shared certi cate, likely means the following servers are also operated by this actor:

• 185.174.137[.]26
• 46.41.134[.]8
• 79.96.45[.]181
• elektrobohater[.]pl
• wagodirect[.]pl
• e-wago[.]pl Mitigation

Patch your EPMM instance to one of the following versions:

• 11.12.0.5
• 12.3.0.2
• 12.4.0.2
• 12.5.0.1

Until patches are applied, restrict network access to the endpoints a ected by the authentication bypass, /rs/api/v2/* and /mifs/rs/api/v2/*.

What the Cyber Fusion Center is Doing

The CFC will continue to monitor the situation and send an advisory update if needed. Beyond IOC searches, investigation of additional threat hunting possibilities is ongoing.

Clients subscribed to our vulnerability scan services will receive relevant results if critical vulnerabilities are found within the scope of the scans as soon as a relevant plugin is made available by the scan provider.

Qualys IDs: 530061, 732523

Tenable ID: 235860

References

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM https://www.ivanti.com/blog/epmm-security-update https://www.greynoise.io/blog/ivanti-epmm-zero-days-reconnaissance-exploitation https://www.wiz.io/blog/ivanti-epmm-rce-vulnerability-chain-exploited-in-the-wil-cve-2025-4427-cve-2025-4 https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/

‍