CVE-2025-4428

Published May 13, 2025

Last updated 2 months ago

Exploit knownCVSS high 7.2
Ivanti EPMM

Overview

AI description

Verified by Intruder
Automated description summarized from trusted sources.

CVE-2025-4428 is a remote code execution (RCE) vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM). An authenticated attacker could exploit this vulnerability to execute arbitrary code on a vulnerable device. The vulnerability is associated with an open-source library integrated into EPMM. Ivanti released a security advisory on May 13, 2025, to address this vulnerability, along with an authentication bypass vulnerability (CVE-2025-4427). It was found that chaining the two vulnerabilities together could lead to unauthenticated remote code execution. Ivanti is aware of a limited number of customers whose systems have been exploited.

Description
Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests.
Source
3c1d8aa1-5a33-4ea4-8992-aadd6440af75
NVD status
Analyzed

Insights

Analysis from the Intruder Security Team
Published May 19, 2025

This CVE references a Java Expression Language injection vulnerability in Ivanti EPMM, which allows a user with access to a particular API to execute arbitrary code.

In conjunction with CVE-2025-4427 - an auth bypass vulnerability which gives access to the API in question - this can be used by an unauthenticated attacker.

More information on exact vulnerable versions can be found here - you should patch immediately if vulnerable. Note that in the recommended deployment of EPMM, where the API is not accessible to the internet, the impact is reduced.

Risk scores

CVSS 3.1

Type
Primary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Known exploits

Data from CISA

Vulnerability name
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
Exploit added on
May 19, 2025
Exploit action due
Jun 9, 2025
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

3c1d8aa1-5a33-4ea4-8992-aadd6440af75
CWE-94

Social media

Hype score
Not currently trending

  1. During various Ivanti Endpoint Manager Mobile investigations (CVE-2025-4428), we (as others in our field) saw that the threat actors dumped heap memory from the Tomcat Java processes using jcmd, in order to search the dumped data for sensitive information. Have others seen this

    @malmoeb

    21 Jun 2025

    1949 Impressions

    2 Retweets

    13 Likes

    7 Bookmarks

    1 Reply

    0 Quotes

  2. 🔴 Ivanti Endpoint Manager Mobile, Remote Code Execution, #CVE-2025-4428 (Critical) https://t.co/pg321DrO54

    @dailycve

    16 Jun 2025

    21 Impressions

    1 Retweet

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  3. 【MBSD-SOCの検知傾向トピックス】 2025年5月分#MBSD#SOCの検知傾向トピックスを公開しました。 今月は、Ivanti Endpoint Manager Mobileの脆弱性(CVE-2025-4427, CVE-2025-4428)を狙った攻撃を新たに観測しました。 ▼詳しくは

    @mbsdnews

    13 Jun 2025

    45 Impressions

    0 Retweets

    1 Like

    1 Bookmark

    0 Replies

    0 Quotes

  4. [1day1line] CVE-2025-4428 : a Spring EL Injection vulnerability that occurred in Ivanti EPPM https://t.co/fPVSuAiHFY Hello. Today's one day one line is about a Spring EL Injection vulnerability that occurred in Ivanti EPPM. The vulnerability occur red when user input values

    @hackyboiz

    7 Jun 2025

    598 Impressions

    3 Retweets

    14 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  5. Live Forensic Collection from Ivanti EPMM Appliances (CVE-2025-4427 & CVE-2025-4428) https://t.co/3Xp01PEtXf

    @_r_netsec

    1 Jun 2025

    902 Impressions

    0 Retweets

    7 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  6. A China-nexus group is actively exploiting critical Ivanti EPMM vulnerabilities (CVE-2025-4427, CVE-2025-4428) to remotely execute code and exfiltrate data, deploying KrustyLoader malware via AWS S3 buckets across global sectors. 🚨 #Ivanti #KrustyLoader https://t.co/pCmtCPEz6y

    @TweetThreatNews

    30 May 2025

    78 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  7. 🚨 Exploiting #CVE-2025-4428: Unauthenticated Remote Code Execution https://t.co/awwzOMOVWZ Educational Purposes!

    @UndercodeUpdate

    29 May 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Actively exploited CVE : CVE-2025-4428

    @transilienceai

    27 May 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  9. Looking through a long list of vulnerable Ivanti devices, trying to find out if a customer is listed and how to reach someone on the other side to inform them about exposed Ivanti EPMM services affected by RCEs tracked as CVE-2025-4427 and CVE-2025-4428. It affects every sector:

    @cyb3rops

    26 May 2025

    19210 Impressions

    17 Retweets

    74 Likes

    31 Bookmarks

    4 Replies

    1 Quote

  10. #threatreport #HighCompleteness China-Nexus Threat Actor Actively Exploiting Ivanti Endpoint Manager Mobile (CVE-2025-4428) Vulnerability | 25-05-2025 Source: https://t.co/uLSCchef7i Key details below ↓ 🧑‍💻Actors/Campaigns: Unc5221 (🧠motivation: cyber_espionage)

    @rst_cloud

    26 May 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  11. I found another variant of CVE-2025-4428 — a pre-auth RCE in Ivanti EPMM. Link to the blog post below 👇 https://t.co/WUZUNBySEi

    @HacktronAI

    25 May 2025

    15564 Impressions

    17 Retweets

    114 Likes

    55 Bookmarks

    3 Replies

    2 Quotes

  12. China-Nexus Threat Actor Actively Exploiting Ivanti Endpoint Manager Mobile (CVE-2025-4428) Vulnerability https://t.co/dbk8D7ccgf

    @adriananglin

    25 May 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. Actively exploited CVE : CVE-2025-4428

    @transilienceai

    25 May 2025

    11 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  14. CVE-2025-4427 & CVE-2025-4428 : Live Forensic Collection from Ivanti EPMM Appliances https://t.co/JdtrsTg8PP

    @freedomhack101

    24 May 2025

    64 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  15. CVE-2025-4427 and CVE-2025-4428 – the two Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities that have been exploited in the wild as zero-days and patched by Ivanti last week – are being leveraged by a Chinese cyber espionage group that has been exploiting zero-days in ed

    @cybertzar

    24 May 2025

    42 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  16. CVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution https://t.co/qytojl3kAT https://t.co/JCNZ4Dbbcz

    @IT_Peurico

    23 May 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. China-Nexus Threat Actor Actively Exploiting Ivanti Endpoint Manager Mobile (CVE-2025-4428) | https://t.co/kWqkkX2FmC @EclecticIQ

    @780thC

    23 May 2025

    806 Impressions

    10 Retweets

    11 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  18. UNC5221 sfrutta la falla CVE-2025-4428 in Ivanti EPMM per spionaggio globale Sicurezza Informatica, accesso remoto, apt, cina, CVE-2025-4428, cyber spionaggio, esfiltrazione dati mobili, guerra cibernetica, Ivanti, Ivanti EPMM, krustyloader, malware, Sli… https://t.co/i4qP3DB6G

    @matricedigitale

    23 May 2025

    41 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. China-linked group UNC5221 is exploiting Ivanti Endpoint Manager Mobile vulnerabilities CVE-2025-4427 & CVE-2025-4428 to target organizations in Europe & North America. Immediate patching is crucial. 🚨 #CyberThreat #IvantiVulns #US https://t.co/TLR6tQobQe

    @TweetThreatNews

    23 May 2025

    88 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  20. Latest Known Exploited Vulnerabilities (#KEV) : #CVE-2025-4428 #Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability https://t.co/0i9YWxppXG

    @ScyScan

    22 May 2025

    63 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. Security Bulletin: Critical Ivanti EPMM vulnerabilities (CVE-2025-4427, CVE-2025-4428) are being actively exploited for unauthenticated RCE. Patch now to versions 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1. #ThreatIntel #RedLeggCTI #Ivanti EPMM https://t.co/2npCLP8IyP

    @RedLegg

    22 May 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. Live Forensic Collection from Ivanti EPMM Appliances (CVE-2025-4427 & CVE-2025-4428) https://t.co/bUAYNdljdQ https://t.co/BMqr2Poz0u

    @secharvesterx

    22 May 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  23. Chinese hackers exploiting CVE-2025-4428 target global organizations via Ivanti EPMM 12.5.0.0 and earlier, gây espionage & data theft, including govt, healthcare, and finance 🇨🇳. Stay alert! #CyberThreat #Espionage #China https://t.co/XaAGJroRxH

    @TweetThreatNews

    22 May 2025

    69 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  24. Attention Organizations: With the exploitation of CVE-2025-4427 and CVE-2025-4428 vulnerabilities in Ivanti EPMM, attackers could gain full control of your devices. We've published a step-by-step guide on how to collect forensic evidence from Ivanti EPMM appliances — including

    @ProferoSec

    22 May 2025

    247 Impressions

    1 Retweet

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  25. UNC5221 China-Nexus 🇨🇳 Threat actor actively exploiting Ivanti EPMM (CVE-2025-4428) @WhichbufferArda https://t.co/UIwp25wQcb https://t.co/rO2H0le9K9

    @freedomhack101

    22 May 2025

    55 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    2 Replies

    0 Quotes

  26. Attention Organizations: With the exploitation of CVE-2025-4427 and CVE-2025-4428 vulnerabilities in Ivanti EPMM, attackers could gain full control of your devices. We've published a step-by-step guide on how to collect forensic evidence from Ivanti EPMM appliances — including

    @ProferoSec

    22 May 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. 📌 استغل هاكرز صينيون ثغرات برمجيات Ivanti Endpoint Manager Mobile (EPMM) لتوجيه هجمات على قطاعات متنوعة في أوروبا وأمريكا الشمالية ومنطقة آسيا والمحيط الهادئ. الثغرتان،

    @Cybercachear

    22 May 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  28. 🚨日本組織も標的に:中国関連アクターがIvanti EPMMの脆弱性悪用に関与か(CVE-2025-4428) 〜サイバーアラート 5月22日〜 https://t.co/8hjxuvJb23 #セキュリティ #インテリジェンス #OSINT

    @MachinaRecord

    22 May 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  29. CVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution https://t.co/avxFH9RjK7 https://t.co/eVXutALGXS

    @IT_Peurico

    21 May 2025

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. 🚨UNC5221 China-Nexus 🇨🇳 Threat Actor Actively Exploiting Ivanti EPMM (CVE-2025-4428). Victims include: 🇩🇪 Germany's top telecom provider & defense contractors 🇬🇧 UK healthcare institutions tied to NHS 🇺🇸 U.S. pharma, aviation, and mobile security co

    @WhichbufferArda

    21 May 2025

    29338 Impressions

    49 Retweets

    161 Likes

    94 Bookmarks

    5 Replies

    5 Quotes

  31. Ivanti EPMM is impacted by chained CVE-2025-4427 & CVE-2025-4428 flaws, enabling unauthenticated remote code execution—being actively exploited in the wild. A critical risk for versions up to 12.4.0.1. ⚠️ #IvantiEPMM #Vulnerabilities #CyberUK https://t.co/1AbtNOeIfC

    @TweetThreatNews

    21 May 2025

    35 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  32. 🚨 CISA added Ivanti's EPMM Zero Day Vulnerabilities CVE-2025-4427 and CVE-2025-4428 as KEV. #ivanti https://t.co/hUCf4CE0hk

    @CSec88

    20 May 2025

    113 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  33. Ivanti EPMM users urgently need to patch against actively exploited 0day vulnerabilities (CVE-2025-4427, CVE-2025-4428) that enable pre-authenticated remote code execution, warns watchTowr. https://t.co/fHaZcJIdMB

    @blackwired32799

    20 May 2025

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  34. Ivantiのモバイルデバイス管理ソフト「Endpoint Mobile Manager(EPMM)」において、中程度および高リスクの脆弱性(CVE-2025-4427とCVE-2025-4428)が連携して悪用され、一部ユーザーがハッキング被害を受けた。 これによ

    @yousukezan

    19 May 2025

    633 Impressions

    0 Retweets

    3 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  35. Heads up! Two Ivanti EPMM vulnerabilities, CVE-2025-4427 & CVE-2025-4428, can be chained for unauthenticated RCE. With exploits happening in the wild, proactively defend against potential threats using a new Sigma rule from SOC Prime Platform. https://t.co/EWiEIGp4oL

    @SOC_Prime

    19 May 2025

    217 Impressions

    1 Retweet

    4 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  36. Two critical Ivanti zero-days (CVE-2025-4427 + CVE-2025-4428) are now being actively exploited after a surge in scanning activity last month. Immediate patching is required. Get more details here ⬇️ https://t.co/B06owv29HR #ZeroDay #CyberSecurity #threatintel

    @GreyNoiseIO

    16 May 2025

    4266 Impressions

    36 Retweets

    49 Likes

    8 Bookmarks

    0 Replies

    0 Quotes

  37. On 5/13/25, #Ivanti disclosed 2 new vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM): CVE-2025-4427 & CVE-2025-4428. The vulnerabilities allow for unauthenticated RCE when chained, and successful exploitation has been observed in the wild: https://t.co/xY

    @rapid7

    16 May 2025

    400 Impressions

    0 Retweets

    3 Likes

    1 Bookmark

    1 Reply

    0 Quotes

  38. GitHub - watchtowrlabs/watchTowr-vs-Ivanti-EPMM-CVE-2025-4427-CVE-2025-4428 - https://t.co/kHnSap7txf

    @piedpiper1616

    16 May 2025

    966 Impressions

    6 Retweets

    20 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

  39. Expression payloads meet mayhem in this week's Ivanti EPMM vulnerabilities — CVE-2025-4427 and CVE-2025-4428 — chained to achieve unauth RCE. Beware - this is currently being exploited ITW! Enjoy our analysis. https://t.co/OQVc7vKdY4

    @watchtowrcyber

    15 May 2025

    21978 Impressions

    56 Retweets

    151 Likes

    39 Bookmarks

    1 Reply

    10 Quotes

  40. CVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution https://t.co/w74Ihm9Lbj https://t.co/lNQWCvo9iA

    @ggrubamn

    15 May 2025

    63 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  41. CVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution https://t.co/lmCe920EBK https://t.co/XDa8gzxoBZ

    @secured_cyber

    15 May 2025

    43 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  42. CVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution https://t.co/US4UBhdp7A https://t.co/woCiMo4rdo

    @pcasano

    15 May 2025

    34 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  43. Ivanti has released patches for critical vulnerabilities in Endpoint Manager Mobile (CVE-2025-4427 & CVE-2025-4428) that enabled remote code execution and auth bypass. Affected versions: 11.12.0.4 & earlier. Stay protected! 🔒 #Infosec #Updates #UK https://t.co/Z7nnAlKk

    @TweetThreatNews

    15 May 2025

    42 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  44. CVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution https://t.co/uO3IVkUkzq https://t.co/yl0W9he9r1

    @PintoriAlice

    15 May 2025

    34 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  45. 注意喚起: Ivanti Endpoint Manager Mobile(EPMM)の脆弱性(CVE-2025-4427、CVE-2025-4428)に関する注意喚起 (公開) https://t.co/GBFXfMCCfz

    @AileenWoodstock

    15 May 2025

    55 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  46. 統合版 JPCERT/CC | 注意喚起: Ivanti Endpoint Manager Mobile(EPMM)の脆弱性(CVE-2025-4427、CVE-2025-4428)に関する注意喚起 (公開) https://t.co/3oEZ0PUugy #itsec_jp

    @itsec_jp

    15 May 2025

    13 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  47. Ivanti has released patches for two critical vulnerabilities in its Endpoint Manager Mobile (EPMM) software: CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (remote code execution). https://t.co/honmMCMwav

    @securityRSS

    14 May 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  48. ⚠️Alerte CERT-FR⚠️ Les vulnérabilités CVE-2025-4427 et CVE-2025-4428 permettent à un attaquant non authentifié d'exécuter du code arbitraire à distance dans lvanti EPMM. Elles sont activement exploitées. https://t.co/B814hlKs36

    @CERT_FR

    14 May 2025

    7539 Impressions

    8 Retweets

    20 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  49. CVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution https://t.co/drZpY4xNXo https://t.co/ZOBybeSSeW

    @Art_Capella

    14 May 2025

    57 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  50. 🚨Alert🚨CVE-2025-4427:An authentication bypass in the API component of Ivanti Endpoint Manager Mobile CVE-2025-4428:Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 📊740.6K+ Services are found on the https://t.co/ysWb28Crld yearly. 🔗Hunter https

    @HunterMapping

    14 May 2025

    2395 Impressions

    15 Retweets

    41 Likes

    17 Bookmarks

    0 Replies

    0 Quotes

Configurations

References

Sources include official advisories and independent security research.