Full Report
Wiz Threat Research has confirmed active in-the-wild exploitation of a vulnerability chain in Ivanti Endpoint Manager Mobile (EPMM), comprising CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (post-auth RCE). Exploited together, these flaws enable unauthenticated remot...
Analysis Summary
# Vulnerability: Chained Ivanti EPMM Unauthenticated RCE via Auth Bypass
## CVE Details
- CVE ID: CVE-2025-4427, CVE-2025-4428
- CVSS Score: Not explicitly provided, but described as posing **critical risk** when chained.
- CWE: (Not explicitly provided, but related to Unsafe Java Expression Language Use and Misconfigured Spring Security Routing).
## Affected Systems
- Products: Ivanti Endpoint Manager Mobile (EPMM)
- Versions: EPMM 11.12.0.4, 12.3.0.1, 12.4.0.1, 12.5.0.0 and earlier.
- Configurations: N/A (The chain enables unauthenticated access).
## Vulnerability Description
This vulnerability is a chain where **CVE-2025-4427 (Authentication Bypass)** precedes **CVE-2025-4428 (Post-Authentication Remote Code Execution)**. The combined exploitation chain enables unauthenticated remote code execution (RCE) resulting from an unsafe use of Java Expression Language (EL) combined with a misconfigured Spring Security routing setup.
## Exploitation
- Status: **Exploited in the wild**
- Complexity: Low (Exploitation began shortly after public PoCs were released).
- Attack Vector: Network (Enables unauthenticated remote access).
## Impact
- Confidentiality: High (Evidence of MySQL database dumping observed)
- Integrity: High (Remote Code Execution confirmed, web shells deployed)
- Availability: High (Reverse shells executed, service disruption possible)
## Remediation
### Patches
- Patches are required to address this chain, although specific patch versions or availability dates are not detailed in this summary context. Users should consult Ivanti advisories for the latest fixed versions addressing EPMM 11.12.0.4 and newer affected versions.
### Workarounds
- No specific temporary workarounds were detailed, but immediate patching is strongly implied as critical given the active exploitation.
## Detection
- Indicators of Compromise (IOCs): Deployment of Sliver C2 beacons, MySQL database dumping activity, placement of web shells disguised as error pages, and reverse shell execution using crafted EL payloads.
- Detection Methods and Tools: Monitoring for outbound network connections indicative of C2 activity (like Sliver beacons) or unusual file modifications within the web application directories, particularly in paths like `401.jsp` or `css.css`.
## References
- Vendor Advisories: Wiz Threat Research Confirmation
- Relevant Links: wiz.io/blog/ivanti-epmm-rce-vulnerability-chain-cve-2025-4427-cve-2025-4428 (Defanged)