Exploit Released for Ivanti Zero-Day Vulnerabilities (CVE-2025-4427 and CVE-2025-4428)

THE THREAT

On May 13th, Ivanti disclosed two zero-day vulnerabilities, CVE-2025-4427 and CVE-2025-4428, impacting Ivanti Endpoint Manager Mobile (EPMM). Ivanti confirmed that these vulnerabilities have been exploited in the wild with attacks impacting a limited number of their customers.

CVE-2025-4427 (CVSS: 5.3) is an authentication bypass vulnerability that could allow attackers to bypass Ivanti EPMM authentication and gain access to protected resources. CVE-2025-4428 (CVSS: 7.2) is a Remote Code Execution (RCE) vulnerability that could allow authenticated attackers to run arbitrary commands via specially crafted API requests. The vulnerabilities impact the API component in Ivanti EPMM.

Ivanti stated that the two vulnerabilities can be combined, and if successfully exploited, could allow RCE on affected devices. On May 15th, watchTowr Labs published Proof-of-Concept (PoC) exploit code for vulnerabilities.

Ongoing exploitation of vulnerabilities in widely used applications like Ivanti EPMM could result in the large-scale distribution of malicious content across managed devices. Given that PoC exploit code for CVE-2025-4427 and CVE-2025-4428 is publicly available, it is essential for organizations to promptly apply the necessary security patches to prevent compromise.

What we’re doing about it

• eSentire’s Tactical Threat Response (TTR) team has developed new detections to identify exploitation attempts via eSentire MDR for Network
• eSentire's Threat Response Unit has performed threat hunts across the eSentire customer base for known signs of exploitation
• eSentire Managed Vulnerability Service (MVS) has relevant plugins in place detect devices vulnerable to CVE-2025-4427 and CVE-2025-4428
• The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities

What you should do about it

• After performing a business impact review, apply the relevant security patches provided by Ivanti
  • Upgrade to versions 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1
• If patching is not immediately feasible, Ivanti recommends restricting access to the API by using either the built-in Portal ACLs feature or an external Web Application Firewall (WAF)

Additional information

A critical vulnerability chain has been discovered in Ivanti's Endpoint Manager Mobile (EPMM) solution, combining CVE-2025-4427 (Authentication Bypass) and CVE-2025-4428 (Remote Code Execution). The vulnerabilities, when chained together, allow attackers to execute arbitrary code on target systems without authentication. The issue primarily affects the /api/v2/featureusage endpoint, where improper handling of user input in the format parameter creates a significant security risk. This vulnerability chain has been confirmed to be actively exploited in the wild, targeting specific organizations.

The technical analysis reveals that the RCE vulnerability (CVE-2025-4428) exists in the DeviceFeatureUsageReportQueryRequestValidator class, where user-controlled input from the format parameter is passed directly into the localizedMessageBuilder.getLocalizedMessage method. This leads to Expression Language (EL) injection vulnerability, allowing attackers to execute arbitrary Java code through carefully crafted format parameter values. The vulnerability is exploited by injecting Java EL expressions that can execute system commands, such as "${""getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('command')}".

What Ivanti initially described as an Authentication Bypass (CVE-2025-4427) appears to be an order of operations vulnerability in the application's security architecture. The vulnerability exists because input validation occurs before authentication checks, allowing attackers to trigger the EL injection through error messages even without authentication. The patch includes significant changes to the security.xml file, implementing proper route-specific authentication controls. Organizations are strongly advised to upgrade to the patched versions (11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1) to prevent exploitation. The vulnerability chain demonstrates how seemingly moderate-severity issues (CVSS scores of 5.3 and 7.2) can combine to create a critical security risk when chained together.

The eSentire Threat Intelligence team assesses with high confidence these vulnerabilities will have an increased adoption by threat actors and exploitation attempts in the wild will increase, particularly given the vulnerability's accessibility with available Proof-of-Concept (PoC) exploit code and the high potential impact.

Impacted Versions list:

Ivanti Endpoint Manager Mobile (EPMM)

• Version 11.12.0.4 and prior
• Version 12.3.0.1 and prior
• Version 12.4.0.1 and prior
• Version 12.5.0.0 and prior

References:

[1] https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/

[2] https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US

[3] https://nvd.nist.gov/vuln/detail/CVE-2025-4427

[4] https://nvd.nist.gov/vuln/detail/CVE-2025-4428