Full Report
Wiz Research has observed exploitation in-the-wild of CVE-2025-4427 and CVE-2025-4428, the latest vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM).
Analysis Summary
# Vulnerability: Chained Authentication Bypass and RCE in Ivanti Endpoint Manager Mobile (EPMM)
## CVE Details
- CVE ID: CVE-2025-4427, CVE-2025-4428
- CVSS Score: 5.3 (Low/Medium - Base for CVE-2025-4427), 7.2 (High - Base for CVE-2025-4428). **Combined Impact Treated as Critical.**
- CWE: Unspecified (Related to EL Injection and Improper Access Control)
## Affected Systems
- Products: Ivanti Endpoint Manager Mobile (EPMM)
- Versions:
- 11.12.0.4 and prior
- 12.3.0.1 and prior
- 12.4.0.1 and prior
- 12.5.0.0 and prior
- Configurations: Internet-facing appliances are prioritized targets.
## Vulnerability Description
This vulnerability is a chain composed of two separate flaws that together allow for unauthenticated Remote Code Execution (RCE):
1. **CVE-2025-4427 (Authentication Bypass):** Improper request handling in the route configuration unintentionally exposed endpoints like `/rs/api/v2/featureusage` without requiring authentication (due to missing security rules). This acts as an order-of-operations flaw, as validator logic executes before authentication checks.
2. **CVE-2025-4428 (Post-Auth RCE Sink):** An unsafe handling of user-supplied input within error messages processed via Spring’s `AbstractMessageSource` in the `DeviceFeatureUsageReportQueryRequestValidator`. This allows for attacker-controlled Expression Language (EL) injection via a crafted format parameter in the `/api/v2/featureusage` endpoint, leading to arbitrary Java code execution via command injection (`Runtime.exec()`).
Chaining CVE-2025-4427 allows unauthenticated attackers to reach the RCE condition in CVE-2025-4428.
## Exploitation
- Status: **Exploited in the wild** (Observed since May 16th, 2025, following POC publication). Limited exploitation as 0-days prior to disclosure was also noted.
- Complexity: Low (To chain the vulnerabilities for pre-auth RCE).
- Attack Vector: Network
## Impact
- Confidentiality: High (Due to RCE)
- Integrity: High (Due to RCE)
- Availability: High (Due to RCE)
## Remediation
### Patches
Ivanti recommends patching EPMM to the following versions:
- 11.12.0.5
- 12.3.0.2
- 12.4.0.2
- 12.5.0.1
### Workarounds
Implement network-level restrictions on the following endpoints until patches can be applied:
- `/rs/api/v2/*`
- `/mifs/rs/api/v2/*`
## Detection
- **Indicators of Compromise (IOCs):**
* Malicious Payloads (SHA1):
* `1b1dda5e8e26da568559e0577769697c624df30e` (Sliver Beacon)
* `ac389c8b7f3d2fcf4fd73891f881b12b8343665b` (Sliver Beacon)
* C2 IP Address: `79.96.45[.]181`
- **Detection Methods and Tools:**
* Security solutions should scan for vulnerable versions of Ivanti EPMM.
* Monitor network traffic targeting the exposed endpoints for unexpected input formats or EL patterns.
* Monitor endpoint logs for indicators of command execution (`Runtime.exec()`).
## References
- Ivanti advisory: `forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US&ref=labs.watchtowr.com`
- WatchTowr blogpost: `labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/`
- ProjectDiscovery blogpost: `projectdiscovery.io/blog/ivanti-remote-code-execution`