Ivanti has disclosed two zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) solution. When chained together, these vulnerabilities allow attackers to execute unauthenticated remote code.
Security researchers have confirmed active exploitation in the wild, with the Shadowserver Foundation tracking nearly 800 vulnerable instances still exposed online.
The vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, were disclosed on May 13, 2025, following reports from CERT-EU.
.png
)
Ivanti acknowledged that “a very limited number of customers” had already been compromised at the time of disclosure.
In its security advisory, Ivanti stated, “When chained together, successful exploitation could lead to unauthenticated remote code execution.”
The company emphasized that the vulnerabilities only affect on-premises EPMM installations and are not present in cloud-based solutions like Ivanti Neurons for MDM.
Vulnerability Disclosure & Exploit Mechanics
CVE-2025-4427 is an authentication bypass vulnerability with a CVSS score of 5.3 that allows attackers to access protected resources without proper credentials.
CVE-2025-4428 is a high-severity remote code execution vulnerability with a CVSS score of 7.2 that allows authenticated attackers to execute arbitrary code via crafted API requests.
Technical analysis reveals the exploit chain works by sending a specially crafted HTTP GET request to the “/mifs/rs/api/v2/featureusage” endpoint with a malicious “format” parameter.
The vulnerability stems from improper handling of Expression Language evaluation in the hibernate-validator library:
When exploited, the above payload can trigger command execution on vulnerable systems, with the output reflected in the error message.
The Shadowserver Foundation’s scans identified 940 vulnerable instances on May 15, decreasing to 798 by May 18.
According to their data, the highest concentration of vulnerable systems is in Germany (276) and the United States (150).
“We are scanning for Ivanti EPMM instances likely vulnerable (unpatched) to CVE-2025-4427 which can be chained with CVE-2025-4428 for RCE,” Shadowserver tweeted on May 19.
Affected and Patched Versions
Affected versions include Ivanti EPMM 11.12.0.4 and earlier, 12.3.0.1 and earlier, 12.4.0.1 and earlier, and 12.5.0.0. Ivanti has released patched versions (11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1) to address these vulnerabilities.
The NHS England National Cyber Security Operations Centre has assessed further exploitation as “highly likely”. With public proof-of-concept code now available, security experts warn that mass exploitation attempts are imminent.
“Once ‘highly targeted’ operations get publicised, we’ve seen attackers just mass pwn everything on the Internet to obtain any remaining value,” warned watchTowr researchers.
Organizations running on-premises Ivanti EPMM installations are strongly urged to apply the security updates immediately and investigate their systems for signs of compromise.
Those receiving alerts from monitoring services should “make sure to review for any compromise” as these vulnerabilities are exploited in the wild.
This incident marks the latest in a series of serious security flaws affecting Ivanti products in recent years, following earlier vulnerabilities in their VPN appliances, ICS, IPS, and ZTA gateways that were also exploited as zero-days.
Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar
