Published: 20 May 2025
Prepared by: Brandon Sawyer, Associate Vulnerability Security Analyst
This bulletin highlights two recently disclosed vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM):
CVE-2025-4427 – Authentication Bypass, CVSS 5.3 (Medium Severity)
CVE-2025-4428 – Remote Code Execution, CVSS 7.2 (High Severity)
When exploited in combination, these vulnerabilities could allow unauthenticated remote attackers to execute arbitrary code on vulnerable Ivanti EPMM instances.
Ivanti has confirmed that all versions of EPMM up to and including 12.5.0.0 are affected. The company has acknowledged a very limited number of in-the-wild exploitations at this time and greynoise.io reports 3 IP addresses associated with CVE-2025-4428 exploit attempts. A security patch was released on 13 May 2025, and organisations are strongly advised to implement the remediation steps provided below by Ivanti.
On 14 May 2025, the Australian Cyber Security Centre (ACSC) issued an advisory addressing these and other CVEs. The ACSC recommends that all affected organisations verify their EPMM deployments and ensure they are patched according to Ivanti’s official guidance.
On 13 May 2025, Ivanti released a security advisory disclosing that a limited number of customers had experienced exploitation of Ivanti Endpoint Manager Mobile through the chaining of two vulnerabilities: CVE-2025-4427 and CVE-2025-4428. At the time of publication, no public proof of concept exploits for these vulnerabilities has been made available, however, a limited number of in-the-wild exploits have been observed.
CVE-2025-4427 is an authentication bypass vulnerability in EPMM, enabling unauthorised access to protected resources without valid credentials.
CVE-2025-4428 is a remote code execution (RCE) vulnerability that allows attackers to execute arbitrary code on the target system.
Both vulnerabilities stem from third-party open-source libraries integrated within the EPMM platform, when chain exploited together these could allow unauthenticated remote attackers to execute arbitrary code on vulnerable Ivanti EPMM instances. Ivanti strongly recommends that all organisations review their environments to identify any affected versions and apply the security update released on 13 May 2025 without delay.
Impacted Versions:
11.12.0.4 and earlier
12.3.0.1 and earlier
12.4.0.1 and earlier
12.5.0.0 and earlier
An attacker that successfully exploits both of these flaws could chain them together to execute arbitrary code on a vulnerable device without authentication.
Organisations running impacted versions of Ivanti products should take the following actions:
Customers can also mitigate the threat by following best practice guidance of filtering access to the API using either the built in Portal ACLs functionality or an external WAF. More information about Portal ACLs can be found at: Access Control Lists
The overall risk is significantly reduced for organisations that already limit API access using Portal ACLs or a WAF. Ivanti has acknowledged this as an effective mitigation strategy; however, it is important to note that implementing these controls may affect product functionality depending on specific configurations.
Customers who believe they may be affected are advised to verify their current version of Ivanti EPMM and apply any necessary updates.
The research team at watchTowr Labs have released the Ivanti EPMM Pre-Auth RCE Chain 1day Detection Artifact Generator Tool that can be used to detect vulnerable Ivanti EPMM instances.
Triskele Labs DefenceShield customers leveraging our Assess (Vulnerability Scanning) and Monitor (24×7 SIEM) services are being proactively assessed and monitored for indicators of compromise (IOCs) and signs of lateral movement.
References
