CVE-2025-4428

Published May 13, 2025

Last updated 2 months ago

Ivanti EPMM

Overview

AI description

Verified by Intruder

Automated description summarized from trusted sources.

CVE-2025-4428 is a remote code execution (RCE) vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM). An authenticated attacker could exploit this vulnerability to execute arbitrary code on a vulnerable device. The vulnerability is associated with an open-source library integrated into EPMM. Ivanti released a security advisory on May 13, 2025, to address this vulnerability, along with an authentication bypass vulnerability (CVE-2025-4427). It was found that chaining the two vulnerabilities together could lead to unauthenticated remote code execution. Ivanti is aware of a limited number of customers whose systems have been exploited.

Description: Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests.
Source: 3c1d8aa1-5a33-4ea4-8992-aadd6440af75
NVD status: Analyzed

Insights

Analysis from the Intruder Security Team

Published May 19, 2025

This CVE references a Java Expression Language injection vulnerability in Ivanti EPMM, which allows a user with access to a particular API to execute arbitrary code.

In conjunction with CVE-2025-4427 - an auth bypass vulnerability which gives access to the API in question - this can be used by an unauthenticated attacker.

More information on exact vulnerable versions can be found here - you should patch immediately if vulnerable. Note that in the recommended deployment of EPMM, where the API is not accessible to the internet, the impact is reduced.

Risk scores

CVSS 3.1

Type: Primary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

Known exploits

Data from CISA

Vulnerability name: Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
Exploit added on: May 19, 2025
Exploit action due: Jun 9, 2025
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Weaknesses

3c1d8aa1-5a33-4ea4-8992-aadd6440af75: CWE-94

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 28

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:ivanti:endpoint_manager_mobile:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BDF89238-9401-4106-8999-511712A0A51F",
            "versionEndExcluding": "11.12.0.5"
          },
          {
            "criteria": "cpe:2.3:a:ivanti:endpoint_manager_mobile:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A3F4C3FB-278B-4F4D-A5EF-188F49322405",
            "versionEndExcluding": "12.3.0.2",
            "versionStartIncluding": "12.3.0.0"
          },
          {
            "criteria": "cpe:2.3:a:ivanti:endpoint_manager_mobile:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "95FC0377-42AE-49FD-BE90-919F46D075C9",
            "versionEndExcluding": "12.4.0.2",
            "versionStartIncluding": "12.4.0.0"
          },
          {
            "criteria": "cpe:2.3:a:ivanti:endpoint_manager_mobile:12.5.0.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C3F9CD37-B058-4D65-86B1-9168215D2608"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.