Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-4427
CVE-2025-4427:
Ivanti Endpoint Manager Mobile vulnerability analysis and mitigation
Overview
An authentication bypass (CVE-2025-4427) and a post-authentication remote code execution vulnerability (CVE-2025-4428) were discovered in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities affect EPMM versions 11.12.0.4 and prior, 12.3.0.1 and prior, 12.4.0.1 and prior, and 12.5.0.0 and prior. These flaws were disclosed on May 13th, 2025, and have been confirmed to be exploited in the wild prior to disclosure (Wiz Blog, Help Net Security).
Technical details
CVE-2025-4428 is a post-auth remote code execution vulnerability in EPMM's DeviceFeatureUsageReportQueryRequestValidator. It arises from unsafe handling of user-supplied input within error messages processed via Spring's AbstractMessageSource, allowing attacker-controlled Expression Language (EL) injection. CVE-2025-4427 is characterized as an order-of-operations vulnerability rather than a true authentication bypass, where validator logic executes before authentication checks in the route configuration. The CVSS scores are 5.3 (Medium) for CVE-2025-4427 and 7.2 (High) for CVE-2025-4428 (Wiz Blog, watchTowr Labs).
Impact
When chained together, these vulnerabilities enable unauthenticated remote code execution on vulnerable EPMM instances. Attackers have been observed dumping sensitive MySQL database tables, deploying web shells, and establishing persistent access through various means. The vulnerabilities affect only the on-premises EPMM product, which is used for mobile device management and endpoint security in enterprises (Wiz Blog, Help Net Security).
Mitigation and workarounds
Ivanti has released patched versions: 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1. Organizations are advised to prioritize patching Internet-facing appliances. If immediate patching is not possible, network-level restrictions should be implemented on the /rs/api/v2/ and /mifs/rs/api/v2/ endpoints. The risk can be significantly reduced by filtering access to the API using either the built-in Portal ACLs functionality or an external web application firewall (Hacker News, Help Net Security).
Community reactions
Security researchers have actively analyzed and published technical details about the vulnerabilities. Notable research has been conducted by watchTowr Labs and ProjectDiscovery, who released proof-of-concept exploits. The vulnerabilities were initially reported by CERT-EU, suggesting potential compromise of European Union institutions (Help Net Security).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management