Full Report
Remote code execution vulnerability in a popular mobile device management solution from Ivanti has been exploited in the wild in limited attacksBackgroundOn May 13, Ivanti released a security advisory to address a high severity remote code execution (RCE) and a medium severity authentication bypass vulnerability in its Endpoint Manager Mobile (EPMM) product, a mobile management software that can be used for mobile device management (MDM), mobile application management (MAM) and mobile content management (MCM).CVEDescriptionCVSSv3CVE-2025-4427Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability5.3CVE-2025-4428Ivanti Endpoint Manager Mobile Remote Code Execution Vulnerability7.2AnalysisCVE-2025-4427 is an authentication bypass vulnerability in Ivanti’s EPMM. An unauthenticated, remote attacker could exploit this vulnerability to gain access to the server’s application programming interface (API) that is normally only accessible to authenticated users.CVE-2025-4428 is a RCE in Ivanti’s EPMM. An authenticated attacker could exploit this vulnerability to execute arbitrary code on a vulnerable device.An attacker that successfully exploits these flaws could chain them together to execute arbitrary code on a vulnerable device without authentication. Both vulnerabilities are associated with open source libraries used by the EPMM software. Ivanti has indicated that these vulnerabilities have been exploited in the wild in a limited number of cases.Customers that restrict API access via the Portal ACLs functionality or an external WAF have reduced exposure to these vulnerabilities.Ivanti has credited the CERT-EU with reporting these vulnerabilities.Proof of conceptAt the time this blog post was published, there was no public proof-of-concept available for CVE-2025-4427 or CVE-2025-4428.SolutionThe following table details the affected and fixed versions of Ivanti EPMM for both CVE-2025-4427 and CVE-2025-4428:Affected VersionFixed Version11.12.0.4 and prior11.12.0.512.3.0.1 and prior12.3.0.212.4.0.1 and prior12.4.0.212.5.0.0 and prior12.5.0.1Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2025-4427, and CVE-2025-4428 as they’re released. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Additionally, customers can utilize Tenable Attack Surface Management to identify public facing assets running Ivanti EPMM by using the following filters: Get more informationSecurity Advisory Ivanti Endpoint Manager Mobile (EPMM) May 2025 (CVE-2025-4427 and CVE-2025-4428)https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_USJoin Tenable's Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
# Vulnerability: Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution
## CVE Details
- CVE ID: CVE-2025-4427, CVE-2025-4428
- CVSS Score: Not specified in the provided text. (Severity needs to be checked against the full advisory, but given the RCE nature, it is likely High or Critical)
- CWE: Not specified in the provided text.
## Affected Systems
- Products: Ivanti Endpoint Manager Mobile (EPMM)
- Versions:
- 11.12.0.4 and prior
- 12.3.0.1 and prior
- 12.4.0.1 and prior
- 12.5.0.0 and prior
- Configurations: Not specified.
## Vulnerability Description
The provided text identifies **CVE-2025-4427** and **CVE-2025-4428** as vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) that lead to Remote Code Execution (RCE). Specific technical details on the root cause (e.g., injection type, entry point) are not detailed in this summary excerpt, only the implication of RCE.
## Exploitation
- Status: At the time of the blog post, there was **no public proof-of-concept available** for CVE-2025-4427 or CVE-2025-4428.
- Complexity: Not specified.
- Attack Vector: Implied to be remote, given the RCE designation.
## Impact
Based on the RCE designation:
- Confidentiality: Likely High
- Integrity: Likely High
- Availability: Likely High
## Remediation
### Patches
The following fixed versions resolve both CVE-2025-4427 and CVE-2025-4428:
| Affected Version | Fixed Version |
| :--- | :--- |
| 11.12.0.4 and prior | 11.12.0.5 |
| 12.3.0.1 and prior | 12.3.0.2 |
| 12.4.0.1 and prior | 12.4.0.2 |
| 12.5.0.0 and prior | 12.5.0.1 |
### Workarounds
No workarounds are listed in this summary excerpt.
## Detection
- Indicators of Compromise: Not specified.
- Detection methods and tools:
* Tenable plugins are available on the individual CVE pages for CVE-2025-4427 and CVE-2025-4428.
* Customers can use Tenable Attack Surface Management to identify public-facing assets running Ivanti EPMM.
## References
- Vendor Advisory: forums[dot]ivanti[dot]com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en\_US
- Tenable CVE References:
* CVE-2025-4427 plugins link (defanged): https://www[dot]tenable[dot]com/cve/CVE-2025-4427/plugins
* CVE-2025-4428 plugins link (defanged): https://www[dot]tenable[dot]com/cve/CVE-2025-4428/plugins