🔴 CVE-2025-4427

CVE-2025-4427 is an authentication bypass vulnerability in the API component of Ivanti Endpoint Manager Mobile that allows unauthenticated attackers to access protected resources. This vulnerability is actively being exploited in the wild and is listed in CISA's KEV catalog.

← Back to Overview
HIGH_RISK
Risk Level
5.3
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-05-13

Added to CISA KEV: 2025-05-19 6 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-4427 is a critical authentication bypass vulnerability affecting the API component of Ivanti Endpoint Manager Mobile (EPMM) [1].

Exploitation and Threat Actor Activity
  • Active Exploitation: The vulnerability has been actively exploited in the wild [6]. It was added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog [1].
  • Threat Actors: Reports have linked the exploitation of this vulnerability chain to UNC5221, a Chinese cyber espionage group known for targeting edge network appliances [5].
  • Campaigns: The vulnerability has been used in targeted espionage campaigns rather than broad ransomware attacks. Attackers have used it to gain initial access and deploy persistent malware on vulnerable servers [4] [2].
Attack Method and Requirements
  • Method: CVE-2025-4427 is an authentication bypass (CWE-288) that allows attackers to access protected API resources without valid credentials [1] [4].
  • Chaining: It is frequently chained with CVE-2025-4428, an authenticated remote code execution (RCE) flaw. Chaining these two vulnerabilities allows a remote, unauthenticated attacker to achieve full remote code execution on the target device [3] [2].
  • Requirements: Exploitation is network-based and does not require user interaction [7].
  • PoC Availability: Proof-of-concept exploit code became available publicly around mid-May 2025, which preceded an increase in exploitation activity [2].
Impact
Successful exploitation provides attackers with unauthorized access to the API. When chained with CVE-2025-4428, it results in persistent remote code execution, allowing attackers to compromise the integrity and confidentiality of the Ivanti EPMM server and potentially the managed mobile environment [2].
Affected Versions and Mitigation
  • Affected Versions: Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and prior [1].
  • Status: Ivanti released patches for these vulnerabilities in May 2025 [6]. Organizations running affected versions are strongly advised to apply the latest security updates provided by the vendor.

Sources

  1. CVE-2025-4427 Detail - NVD

    An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without ... CVE-2025-4427 Detail. Description. An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows a…

  2. CISA Warns of Two Malware Strains Exploiting Ivanti EPMM CVE-2025-4427 ...

    CISA details attackers exploiting Ivanti EPMM zero-days CVE-2025-4427/4428 in May 2025, enabling persistent remote code execution on vulnerable server ... While CVE-2025-4427 concerns an authentication bypass that allows attackers to access protected resources, CVE-2025-4428 enables remote code exec…

  3. Ivanti EPMM Chained Exploits Added to CISA KEV [CVE-2025-4427 ...

    CVE-2025-4428 is an authenticated remote code execution (RCE) vulnerability. When chained, these flaws allow a remote attacker to bypass API authentication and ...

  4. Malicious Listener for Ivanti Endpoint Mobile Management Systems - CISA

    Introduction The Cybersecurity and Infrastructure Security Agency (CISA) obtained two sets of malware, five files in total, from an organization where cyber threat actors exploited CVE-2025-4427 [CWE-288: Authentication Bypass Using an Alternate Path or Channel] and CVE-2025-4428 [CWE-‘Code Injectio…

  5. Chinese Hackers Exploit Ivanti EPMM Bugs in Global Enterprise...

    The vulnerabilities, tracked as CVE-2025-4427 (CVSS score: 5.3) and CVE-2025-4428 (CVSS score: 7.2), could be chained to execute arbitrary code on a vulnerable device without requiring any authentication. They were addressed by Ivanti last week. Now, according to a report from EclecticIQ, the vulner…

  6. Ivanti Patches EPMM Vulnerabilities Exploited for Remote Code...

    Ivanti patched CVE-2025-4427 and CVE-2025-4428 in EPMM after limited exploitation + On-prem only risk.Separately, Ivanti has also shipped patches to contain an authentication bypass flaw in on-premise versions of Neurons for ITSM (CVE-2025-22462, CVSS score: 9.8) that could allow a remote unauthenti…

  7. CVE-2025-4427 - How Attackers Can Bypass API Authentication in Ivanti ...

    - NIST NVD CVE-2025-4427 description - CVE Details entry - Rapid7 blog on Ivanti vulnerabilities (historical) Final Thoughts CVE-2025-4427 is serious. Any attacker who can hit your EPMM server’s API can likely get in—no credentials needed! If you run Ivanti Endpoint Manager Mobile, this should be yo…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed