Executive Summary

The critical vulnerability identified as CVE-2025-4427 affects Ivanti Endpoint Manager Mobile (EPMM), and allows attackers to bypass authentication mechanisms to execute arbitrary code remotely. This report outlines the technical details, potential risks, and recommended mitigations associated with this flaw. The exploitation of this vulnerability poses a severe threat to enterprise mobile device management systems, necessitating immediate attention and action.

Technical Information

Ivanti EPMM is susceptible to a severe vulnerability, CVE-2025-4427, which permits an authentication bypass that attackers can exploit to gain unauthorized access to restricted resources. This vulnerability is compounded by CVE-2025-4428, which enables remote code execution. The exploitation of these vulnerabilities is primarily facilitated through unsafe user input in the application’s bean validators, which act as a sink for Server-Side Template Injection (SSTI) attacks.

The technical mechanics involve an attacker crafting requests that exploit the system’s inability to enforce authentication checks effectively. The process begins with the attacker sending a request with a manipulated parameter, which the vulnerable system processes without verifying the source’s authenticity. This oversight allows the attacker to inject malicious code, which the server executes, thereby compromising the system's integrity.

The root cause analysis indicates that the application's validation logic fails to intercept unauthenticated requests before processing potentially harmful input. Specifically, the Spring MVC framework binds query parameters to a request object, and the @Valid annotation triggers a validator that accepts untrusted input. Subsequently, this input is inserted into a message template, parsed by the Expression Language (EL) engine, which evaluates embedded expressions without adequate security checks.

Exploitation in the Wild

Recent reports indicate active exploitation of these vulnerabilities, with attackers targeting enterprise environments to deploy malicious payloads. The lack of required authentication enhances the attack's simplicity and efficacy, allowing unauthorized actors to execute remote code seamlessly. Indicators of Compromise (IOCs) include unusual network traffic patterns, unauthorized access logs, and unexpected system behavior, which should be monitored vigilantly.

APT Groups using this vulnerability

While specific Advanced Persistent Threat (APT) groups exploiting this vulnerability have not been publicly identified, the nature of the attack aligns with tactics commonly employed by state-sponsored actors targeting critical infrastructure sectors globally. Organizations in the government, financial services, and telecommunications sectors are advised to remain particularly vigilant.

Affected Product Versions

The following versions of Ivanti EPMM are affected: versions prior to 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1. Enterprises using these versions should prioritize immediate updates to mitigate the associated risks.

Workaround and Mitigation

Ivanti has issued patches to address these vulnerabilities. Organizations using the affected versions must update to versions 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1. Additionally, implementing robust access controls and monitoring for anomalous activity can help detect and prevent exploitation.

References

• ProjectDiscovery Blog: https://projectdiscovery.io/blog/ivanti-remote-code-execution?utm_campaign=blog_email_notification&utm_medium=email&utm_source=CVE_2025_4427_Ivanti_EPMM_RCE
• Ivanti Security Advisory: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US
• NVD CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2025-4427

Rescana is here for you

Rescana offers comprehensive support through our Third Party Risk Management (TPRM) platform, helping organizations assess and mitigate risks associated with cybersecurity vulnerabilities. Our team is ready to assist with any inquiries or additional analysis required. Please reach out to us at ops@rescana.com for expert guidance and support.