Multiple Ivanti Endpoint Mobile Manager Vulnerabilities Allows Remote Code Execution

Critical security flaws have been uncovered in Ivanti Endpoint Manager Mobile (EPMM), a widely used mobile device management (MDM) solution, exposing organizations to the risk of unauthenticated remote code execution (RCE).

The vulnerabilities, tracked as CVE-2025-4427 and CVE-2025-4428, have been actively exploited in the wild, prompting urgent calls for patching from security agencies and Ivanti itself.

Ivanti Endpoint Manager Vulnerabilities

According to the WatchTowr report, the two vulnerabilities, when chained, allow attackers to bypass authentication and execute arbitrary code on affected systems:

• CVE-2025-4427 (CVSS 5.3): An authentication bypass flaw that allows unauthenticated attackers to access protected API endpoints without valid credentials.
• CVE-2025-4428 (CVSS 7.2): A remote code execution vulnerability that lets attackers run arbitrary code on the target system, leveraging user-controlled input in API requests to inject and execute Java Expression Language (EL) payloads.

These vulnerabilities are present in all on-premises versions of Ivanti EPMM prior to and including 12.5.0.0, with patches available in versions 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1.

The attack chain exploits a flaw in the /api/v2/featureusage endpoint. Here, improper validation of the format parameter allows an attacker to inject malicious Java EL expressions.

In vulnerable versions, this input is passed directly into error messages, which are processed by the Spring Framework’s message source, resulting in code execution on the server.

The authentication bypass (CVE-2025-4427) arises due to a misconfiguration in the application’s security routing, allowing attackers to reach the vulnerable endpoint without prior authentication.

The report reads that this “order of operations” issue lets malicious requests trigger the RCE vulnerability (CVE-2025-4428) even when unauthenticated.

Exploitation in the Wild

Ivanti and multiple cybersecurity agencies have confirmed limited, targeted exploitation of these vulnerabilities, with a strong likelihood of broader attacks as proof-of-concept code circulates publicly.

The flaws are particularly dangerous because MDM solutions like EPMM have broad access to managed devices, making mass deployment of malware or ransomware a real threat if compromised.

The vulnerabilities stem from the integration of two open-source libraries within EPMM, not Ivanti’s proprietary code. This highlights the risks associated with third-party dependencies in enterprise software.

Successful exploitation can allow attackers to install programs, access sensitive data, or disrupt device management across entire organizations.

Ivanti has released patches and strongly urges all customers to update to the latest fixed versions immediately. Organizations unable to upgrade should consult Ivanti’s advisory for temporary mitigations and closely monitor for signs of compromise.

Security experts warn that, given the critical nature and public availability of exploit code, unpatched systems are at imminent risk.

Agencies, including the NHS, ASD, and CERT-EU, have echoed the urgency, advising prompt action to prevent widespread exploitation.

The discovery and ongoing exploitation of these Ivanti EPMM vulnerabilities underscore the persistent risks posed by both open-source dependencies and misconfigured security controls in enterprise environments.

Organizations using Ivanti EPMM should prioritize patching and review their exposure to minimize the risk of compromise.

Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar

The post Multiple Ivanti Endpoint Mobile Manager Vulnerabilities Allows Remote Code Execution appeared first on Cyber Security News.