Full Report
Ivanti has released security updates to address two security flaws in Endpoint Manager Mobile (EPMM) software that have been chained in attacks to gain remote code execution. The vulnerabilities in question are listed below - CVE-2025-4427 (CVSS score: 5.3) - An authentication bypass in Ivanti Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials
Analysis Summary
# Vulnerability: Chained RCE in Ivanti Endpoint Manager Mobile (EPMM)
## CVE Details
- CVE ID: CVE-2025-4427, CVE-2025-4428
- CVSS Score: 5.3 (Low/Medium, for CVE-2025-4427), 7.2 (High, for CVE-2025-4428)
- CWE: Not explicitly mentioned, but involves Authentication Bypass and RCE.
## Affected Systems
- Products: Ivanti Endpoint Manager Mobile (EPMM) (On-premise version only)
- Versions:
- 11.12.0.4 and prior
- 12.3.0.1 and prior
- 12.4.0.1 and prior
- 12.5.0.0 and prior
- Configurations: Affects the on-prem EPMM product. **Not present** in Ivanti Neurons for MDM, Ivanti Sentry, or other Ivanti products.
## Vulnerability Description
The vulnerability involves a chain of two security flaws in Ivanti EPMM software, which relies on two integrated open-source libraries (names not disclosed).
1. **CVE-2025-4427 (CVSS 5.3 / Authentication Bypass):** Allows attackers to bypass authentication mechanisms and access protected resources.
2. **CVE-2025-4428 (CVSS 7.2 / Remote Code Execution):** Exploits the initial bypass to allow attackers to execute arbitrary code on the target system.
The combined chain results in **Remote Code Execution (RCE)**.
## Exploitation
- Status: Exploited in the wild (reported as a "very limited number of customers" exploited at the time of disclosure).
- Complexity: Not explicitly detailed, but the chaining suggests technical skill is required.
- Attack Vector: Implied to be network-based due to RCE capability over the API interface.
## Impact
- Confidentiality: Unknown (but RCE suggests high potential impact)
- Integrity: High (RCE allows arbitrary code execution)
- Availability: High (RCE allows system compromise)
## Remediation
### Patches
The following fixes are available by updating to the indicated minimum version:
- Fixed in **11.12.0.5** (for versions 11.12.0.4 and prior)
- Fixed in **12.3.0.2** (for versions 12.3.0.1 and prior)
- Fixed in **12.4.0.2** (for versions 12.4.0.1 and prior)
- Fixed in **12.5.0.1** (for versions 12.5.0.0 and prior)
### Workarounds
The risk is significantly reduced if customers already filter API access using:
1. Ivanti's built-in Portal ACLs functionality.
2. An external web application firewall (WAF).
## Detection
- Indicators of Compromise (IOCs): Ivanti stated they do not have reliable IOCs associated with the malicious activity at the time of disclosure while they investigate the limited incidents.
- Detection Methods and Tools: Monitor for suspicious API access patterns or activity originating from the EPMM system that bypasses expected authentication controls.
## References
- Vendor Advisory (Fixes): https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US
- Vendor Blog: https://www.ivanti.com/blog/epmm-security-update
- *Note: The summary also mentions a separate related RCE vulnerability patched in Neurons for ITSM (CVE-2025-22462, CVSS 9.8), which should also be addressed.*