Ivanti Endpoint Manager Mobile exploit chain exploited in the wild

Last updated at Fri, 16 May 2025 20:08:53 GMT

On May 13, 2025, Ivanti disclosed an exploited in the wild exploit chain, comprising of two new vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM): CVE-2025-4427 and CVE-2025-4428. Ivanti EPMM is an enterprise-focused software suite for IT teams to manage mobile devices, applications, and content.

CVE-2025-4427 is an authentication bypass vulnerability with a CVSS rating of 5.3 (Medium). CVE-2025-4428 is an authenticated remote code execution (RCE) vulnerability with a CVSS rating of 7.2 (High). By chaining the medium-severity authentication bypass (CVE-2025-4427), an unauthenticated attacker can reach a web API endpoint to inject server-side template patterns and exploit the high-severity vulnerability (CVE-2025-4428), thus achieving unauthenticated remote code execution. Therefore, while neither vulnerability has been rated as critical, when combined together, the impact of the exploit chain is critical, i.e. unauthenticate RCE.

The vulnerabilities were reported to the vendor by CERT-EU, the European Union’s Cybersecurity Service for the Union institutions, bodies, offices and agencies. The vendor has disclosed that this exploit chain has been exploited in the wild to a limited degree. Notably, this product was previously targeted by an unknown threat actor against the Norwegian Security and Service Organization (DSS) in 2023.

On May 15, 2025, a technical analysis and accompanying proof-of-concept exploit was published publicly. With public exploit code now available, the risk of broad exploitation in the wild has greatly increased.

Mitigation guidance

The vendor has provided patches for affected versions of EPMM. Customers are advised to follow the vendor guidance, and remediate this vulnerability by upgrading to a fixed version on an emergency basis, without waiting for a regular patch cycle to occur.

The following list outlines the affected supported EPMM versions, and their respective fixes:

• Version 11.12.0.4 and prior is fixed in version 11.12.0.5
• Version 12.3.0.1 and prior is fixed in version 12.3.0.2
• Version 12.4.0.1 and prior is fixed in version 12.4.0.2
• Version 12.5.0.0 and prior is fixed in version 12.5.0.1

For the latest mitigation guidance, please refer to the vendor advisory.

Rapid7 customers

InsightVM and Nexpose customers can assess exposure to CVE-2025-4427 and CVE-2025-4428 with authenticated checks expected to be available in today's (May 16) content release.

Updates

May 16, 2025: Updated description of checks to clarify they will be authenticated.