In-the-Wild Exploitation of Ivanti EPMM Vulnerabilities (CVE-2025-4427 & CVE-2025-4428)

Ivanti Endpoint Manager Mobile (EPMM) has been actively exploited due to two critical vulnerabilities: CVE-2025-4427 (an authentication bypass) and CVE-2025-4428 (a remote code execution flaw). These vulnerabilities can enable unauthenticated remote code execution on internet-facing EPMM systems, granting threat actors complete control over compromised instances.

Threat alert
May 23, 2025

Ivanti Endpoint Manager Mobile (EPMM) has been actively exploited due to two critical vulnerabilities: CVE-2025-4427 (an authentication bypass) and CVE-2025-4428 (a remote code execution flaw). These vulnerabilities can enable unauthenticated remote code execution on internet-facing EPMM systems, granting threat actors complete control over compromised instances.

EPMM’s fundamental role in managing and pushing configurations to enterprise mobile devices makes its compromise a direct pipeline to highly sensitive user and device data, as well as integrated enterprise services like Office 365 and LDAP.

CVE-2025-4427: Authentication Bypass (CVSSv3: 5.3 Medium): Vulnerability raises from an improper request handling within Ivanti EPMM’s route configuration. Specifically, certain API routes, such as /rs/api/v2/featureusage and /mifs/rs/api/v2/*, which are exposed without proper authentication checks. The flaw allows an unauthenticated attacker to bypass authentication mechanisms and gain unauthorized access to protected resources that should otherwise require valid credentials.  

CVE-2025-4428: Post-authentication Remote Code Execution (CVSSv3: 7.2 High / 8.8 High): Vulnerability resides within EPMM’s DeviceFeatureUsageReportQueryRequestValidator component which is unsafe handling the user-supplied input when processed within error messages via Spring’s AbstractMessageSource.  

This improper handling allows for attacker-controlled Expression Language (EL) injection, also commonly referred to as Server-Side Template Injection (SSTI). By crafting a malicious format parameter in the /api/v2/featureusage endpoint, an attacker can achieve arbitrary code execution.  


Vulnerable Versions

Ivanti Endpoint Manager Mobile (EPMM) in versions:

  • 11.12.0.4 and prior
  • 12.3.0.1 and prior
  • 12.4.0.1 and prior
  • 12.5.0.0 and prior

Mitigations & Recommendations:

  • All Ivanti EPMM instances, particularly those exposed to the internet, must be upgraded without delay to the latest patched versions: 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1.    
  • Implement Network Restrictions: As an interim measure before patching, apply network-level restrictions to block access to the /rs/api/v2/* and /mifs/rs/api/v2/* endpoints.
  • Log Analysis: Review HTTP access logs (e.g., /mi/tomcat/logs/access-logs.*, /var/log/httpd/https-access_log, /var/log/httpd/https-request_log) for signs of exploitation attempts.
  • File System Analysis: Scan for the presence of known malware hashes (KrustyLoader, Sliver, MySQL dump scripts) in temporary directories (/tmp/1, /tmp/h, /tmp/y, /tmp/.alog) or web-accessible directories (/mi/tomcat/webapps/mifs/, especially 401.jsp, css.css, session.jsp, baseURL.jsp).    
  • Process Monitoring: Look for unusual processes originating from the Ivanti EPMM application, especially those involving wget, curl, fetch, mysqldump, jcmd, or unexpected shell commands.
  • Network Activity Analysis: Monitor outbound network connections from EPMM instances to suspicious IP addresses or domains listed in the IoCs, or to any unusual C2 patterns.
  • Credential Review: If compromise is confirmed, assume all credentials managed by or accessible via EPMM (LDAP, Office 365 tokens, database credentials) are compromised and initiate a comprehensive credential reset and rotation across affected services.
  • Centralized Log Management and Monitoring: Configure Ivanti EPMM servers to transfer logs to a centralized log management system for storage, analysis, and reporting