CVE-2025-4428:
Ivanti Endpoint Manager Mobile vulnerability analysis and mitigation

High-profile threat •

Overview

CVE-2025-4428 is a high-severity remote code execution vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and prior. The vulnerability was discovered in May 2025 and affects the API component of EPMM, allowing authenticated attackers to execute arbitrary code via crafted API requests. The affected versions include 11.12.0.4 and prior, 12.3.0.1 and prior, 12.4.0.1 and prior, and 12.5.0.0 (Tenable Blog).

Technical details

The vulnerability exists in the DeviceFeatureUsageReportQueryRequestValidator component and stems from unsafe handling of user-supplied input within error messages processed via Spring's AbstractMessageSource. The flaw allows for Java Expression Language (EL) injection through the format parameter in the /api/v2/featureusage endpoint. When exploited, it enables arbitrary Java code execution through command injection via Runtime.exec(). The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (Wiz Blog).

Impact

When chained with CVE-2025-4427 (an authentication bypass vulnerability), successful exploitation could lead to unauthenticated remote code execution on vulnerable systems. This vulnerability chain has been actively exploited in the wild, with Ivanti confirming a limited number of customers have been compromised. The impact is particularly severe for organizations using EPMM for mobile device management, as it could potentially allow attackers to deploy malicious software at scale to employee devices (Wiz Blog).

Mitigation and workarounds

Ivanti has released patched versions to address this vulnerability: 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1. Organizations are advised to upgrade to these patched versions immediately, particularly for internet-facing appliances. Additionally, customers can reduce their exposure by restricting API access via Portal ACLs functionality or implementing an external WAF (Tenable Blog).

Community reactions

The security community has responded actively to these vulnerabilities, with multiple security firms providing detailed technical analysis and detection guidance. Notably, the vulnerability chain has drawn significant attention due to its active exploitation in the wild and its potential impact on enterprise mobile device management systems (Wiz Blog).

Additional resources

Source: This report was generated using AI

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues

Cloud threat landscape

A comprehensive threat intelligence database of cloud security incidents, actors, tools and techniques

PEACH

A step-by-step framework for modeling and improving SaaS and PaaS tenant isolation

Get a personalized demo

Ready to see Wiz in action?

“Best User Experience I have ever seen, provides full visibility to cloud workloads.”

David EstlickCISO

“Wiz provides a single pane of glass to see what is going on in our cloud environments.”

Adam FletcherChief Security Officer

“We know that if Wiz identifies something as critical, it actually is.”

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2025-4428: Ivanti Endpoint Manager Mobile vulnerability analysis and mitigation