Ivanti EPMM customers urgently have to patch in opposition to actively exploited 0day vulnerabilities (CVE-2025-4427, CVE-2025-4428) that allow pre-authenticated distant code execution, warns watchTowr.
Cybersecurity researchers at watchTowr have shared particulars of two safety vulnerabilities in Ivanti Endpoint Supervisor Cellular (EPMM) software program, recognized as CVE-2025-4427 and CVE-2025-4428 that may be mixed to realize full management over affected methods and are actively exploited by attackers.
Ivanti EPMM is a Cellular System Administration (MDM) answer system, essential for enterprise safety, performing as a central level to regulate software program deployment and implement insurance policies on worker units. Nevertheless, the abovementioned flaws are turning this administration software into a possible entry level for malicious actors. watchTowr’s evaluation, shared with Hackread.com, signifies that exploiting these vulnerabilities is surprisingly simple.
Chained Exploits Result in Full System Compromise
The primary vulnerability, CVE-2025-4427, is an authentication bypass flaw, which permits attackers to entry protected components of the Ivanti EPMM system while not having correct login credentials. The second vulnerability, CVE-2025-4428, is a distant code execution (RCE) flaw, which, if exploited, can let attackers run their very own malicious code on the server.
Ivanti itself has acknowledged the severity when these points are mixed, stating that “profitable exploitation may result in unauthenticated distant code execution.” They’ve additionally reported consciousness of a “very restricted variety of clients who’ve been exploited” for the reason that vulnerabilities have been disclosed.
This means that whereas the assaults may be focused presently, they may develop into extra widespread. watchTowr notes that when such focused assaults develop into public, it’s frequent for attackers to begin mass exploitation to seek out any remaining weak methods.
Apparently, Ivanti said that the vulnerabilities are usually not in their very own code however are “related to two open-source libraries built-in into EPMM.” They emphasised that utilizing open-source code is a regular follow within the tech trade.
Technical Particulars and Exploitation
watchTowr found an RCE vulnerability (CVE-2025-4428) within the hibernate-validator library, permitting attackers to inject malicious code by a parameter referred to as “format” in API requests. watchtower efficiently demonstrated this vulnerability by sending a easy internet request that executed a calculation, proving code injection was doable. Furthermore, they may execute system instructions, like making a file on the server.
The authentication bypass (CVE-2025-4427) is an “order of operations” situation relatively than a standard bypass. A crafted “format” parameter in a request to the /api/v2/featureusage_history endpoint triggers the weak validation course of earlier than the authentication test, permitting an unauthenticated attacker to set off the code execution vulnerability. The presence of the parameter modifications the processing order, eliminating the necessity to log in first.
watchTowr efficiently chained these two vulnerabilities within the Ivanti EPMM server by sending a crafted internet request to the /rs/api/v2/featureusage endpoint with a malicious “format” parameter, permitting them to execute system instructions with out logging in, thus, making a pre-authenticated RCE situation.
These vulnerabilities pose a vital danger to organizations utilizing affected variations. Patches are obtainable for variations 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0 and organizations utilizing older unpatched variations are suggested to replace instantly
