šŸ”“ CVE-2025-4428

Remote Code Execution vulnerability in Ivanti Endpoint Manager Mobile API component that allows authenticated attackers to execute arbitrary code via crafted API requests. This vulnerability is actively exploited and listed in CISA KEV.

ā† Back to Overview
HIGH_RISK
Risk Level
7.2
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 ā€” Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

šŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-05-13

Added to CISA KEV: 2025-05-19 6 DAYS BETWEEN CVE AND KEV

šŸŽÆ Recommendations:

šŸ” Web Intelligence (Kagi Ā· 2026-06-04)

CVE-2025-4428 is a critical Remote Code Execution (RCE) vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) versions 12.5.0.0 and earlier [4].

Exploitation and Threat Actor Activity
  • Active Exploitation: The vulnerability has been confirmed as actively exploited in the wild [1]. It is included in the CISA Known Exploited Vulnerabilities (KEV) catalog as of May 19, 2025 [2].
  • Threat Actors: Reports indicate usage by threat actors, including those with a China nexus, for malware deployment and establishing persistence within compromised environments [1].
  • Attack Chains: While CVE-2025-4428 is technically a post-authentication vulnerability, it has been observed being chained with CVE-2025-4427 to achieve unauthenticated remote code execution [3] [5].
Attack Method and Requirements
  • Method: The vulnerability exists in the API component of Ivanti EPMM, specifically within the `DeviceFeatureUsageReportQueryRequestValidator` [5]. It involves the unsafe handling of user-supplied input within error messages processed via Springā€™s `AbstractMessageSource`, which enables Expression Language (EL) injection [5].
  • Requirements:
* Network/Local: It is a remote vulnerability, exploitable over the network [4]. * Authentication: It requires an authenticated account to trigger directly, though chaining with other vulnerabilities can bypass this requirement [3]. * User Interaction: No user interaction is required for successful exploitation [2].
Impact and Availability
  • Impact: Successful exploitation allows for arbitrary code execution, leading to complete system compromise, unauthorized access to critical functions, and potential lateral movement within enterprise networks [1].
  • Exploit Availability: Proof-of-concept (PoC) material and detailed breakdowns of the exploit chain are publicly available in security research publications.
Affected Versions and Mitigation
  • Affected Versions: Ivanti Endpoint Manager Mobile (EPMM) versions 12.5.0.0 and earlier [4].
  • Status: Ivanti has released security advisories and patches to address this vulnerability. Organizations are strongly advised to consult the official Ivanti support portal and CISA guidance for remediation steps [2].

Sources

  1. CVE-2025-4428 - Exploits & Severity - Feedly

    Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated ... This can result in complete system compromise, unauthorized access to critical functions, and potential lateral movement within enterprise environments. The vā€¦

  2. CVE-2025-4428 - Vulnerability Details - OpenCVE

    Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM. https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-4428. ...

  3. CVE-2025-4427 - Exploits & Severity - Feedly

    Static CVE Timeline Graph.Classification: Critical, Solution: Official Fix, Exploit Maturity: High, CVSSv3.0: 7.2, CVEs: CVE-2025-4427, CVE-2025-4428, Summary: Ivanti released a security advisory addressing two zero-day vulnerabilities in their EPMM products. An attacker could chain those vulnerabilā€¦

  4. CVE-2025-4428 Detail - NVD

    Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute ...

  5. Ivanti EPMM RCE Vulnerability Chain Exploited in the Wild | Wiz Blog

    CVE-2025-4428 is a post-auth remote code execution vulnerability in EPMM's DeviceFeatureUsageReportQueryRequestValidator. It arises from the unsafe handling of user-supplied input within error messages processed via Springā€™s AbstractMessageSource, which allows attacker-controlled EL (Expression Langā€¦

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

šŸ“„ Download JSON Data | šŸ“” RSS Feed