High

Analysis Summary

Ivanti has disclosed two critical zero-day vulnerabilities in its on-premises Endpoint Manager Mobile (EPMM) solution, CVE-2025-4427 and CVE-2025-4428, which, when chained together, enable unauthenticated remote code execution (RCE). Discovered and publicly disclosed on May 13, 2025, these flaws have been actively exploited in the wild, with Ivanti acknowledging that a “very limited number of customers” had already been compromised prior to disclosure. Importantly, cloud-based Ivanti Neurons for MDM is not affected, limiting the attack surface to on-premises deployments.

CVE-2025-4427 is an authentication bypass vulnerability that allows attackers to access protected endpoints without valid credentials. When used in conjunction with CVE-2025-4428, a remote code execution flaw, attackers can send crafted API requests to achieve full code execution. Technical analysis reveals that attackers can exploit these flaws by sending a malicious HTTP GET request to the /mifs/rs/api/v2/featureusage endpoint using a tampered format parameter. The vulnerability stems from insecure Expression Language evaluation within the hibernate-validator library, resulting in command execution with outputs reflected in error messages.

The Shadowserver Foundation has been actively tracking the exposure of these vulnerabilities, reporting a decline from 940 vulnerable systems on May 15 to 798 by May 18. The majority of exposed systems were found in Germany (276) and the United States (150). Public proof-of-concept (PoC) code has now surfaced, raising alarms within the cybersecurity community about the risk of mass exploitation. The NHS England National Cyber Security Operations Centre considers further exploitation highly likely, particularly given recent trends where attackers quickly move from targeted attacks to large-scale scanning and exploitation.

Affected versions include EPMM 11.12.0.4 and earlier, 12.3.0.1 and earlier, 12.4.0.1 and earlier, and 12.5.0.0, while Ivanti has issued patches in versions 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1. Organizations using vulnerable on-prem EPMM installations are strongly urged to apply patches immediately, review logs for suspicious activity, and respond to any alerts from monitoring tools. This event marks yet another entry in a growing list of Ivanti product vulnerabilities, following previous zero-day issues in its VPN, ICS, IPS, and ZTA appliances, underscoring persistent security challenges in its enterprise software ecosystem.

Impact

• Information Disclosure
• Code Execution

Indicators of Compromise

CVE

• CVE-2025-4427

• CVE-2025-4428

Affected Vendors

Affected Products

• Ivanti Endpoint Manager Mobile - 11.12.0.4 - 12.3.0.1 - 12.4.0.1 - 12.5.0.0

Remediation

• Immediately apply the official patches released by Ivanti for CVE-2025-4427 and CVE-2025-4428
• Limit exposure to internal networks only.
• Use firewall rules or VPN access to block unauthorized public access.
• Review system and application logs for suspicious API calls to /mifs/rs/api/v2/featureusage.
• Look for unusual error messages or evidence of command execution.
• Enable alerting for unexpected traffic patterns or anomalies.
• Pay special attention to endpoints involving Expression Language or hibernate-validator libraries.
• If patching is not immediately possible, take the system offline or isolate it from the internet.
• Use threat intelligence feeds and reports from Shadowserver or CERT-EU to guide forensic investigations.
• Backup critical systems before patching and keep offline copies. Ensure recovery options are available in case of rollback or further compromise.
• Monitor Ivanti’s security advisory page, CERT-EU bulletins, and trusted security news sources for ongoing updates.
• Consider transitioning away from on-prem EPMM to reduce future exposure to similar threats.