Full Report
Wiz Research has observed exploitation in-the-wild of CVE-2025-4427 and CVE-2025-4428, the latest vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM).
Analysis Summary
# Vulnerability: Chained RCE in Ivanti EPMM via EL Injection (CVE-2025-4427 & CVE-2025-4428)
## CVE Details
- **CVE ID:** CVE-2025-4427 (Authentication Bypass) and CVE-2025-4428 (Post-Auth RCE)
- **CVSS Score:** Not explicitly rated critically in isolation (5.3 and 7.2 respectively), but the combined impact should be treated as **Critical**.
- **CWE:** Related to CWE-94 (Improper Control of Generation of Code ('Code Injection')) for the RCE component.
## Affected Systems
- **Products:** Ivanti Endpoint Manager Mobile (EPMM)
- **Versions:**
* 11.12.0.4 and prior
* 12.3.0.1 and prior
* 12.4.0.1 and prior
* 12.5.0.0 and prior
- **Configurations:** Attack relies on unauthenticated access to specific endpoints (CVE-2025-4427) allowing an unauthenticated attacker to trigger RCE via Expression Language (EL) injection (CVE-2025-4428).
## Vulnerability Description
This vulnerability is a chain attack:
1. **CVE-2025-4427 (Authentication Bypass):** Improper request handling/routing configuration in EPMM unintentionally exposes critical API endpoints (like `/rs/api/v2/featureusage`) without proper authentication checks, partly because validator logic executes before authentication checks.
2. **CVE-2025-4428 (RCE):** This is a post-authentication RCE vulnerability stemming from unsafe handling of user-supplied input within error messages processed by Spring’s `AbstractMessageSource` in the `DeviceFeatureUsageReportQueryRequestValidator`. This allows **Expression Language (EL) Injection** via a crafted format parameter, leading to arbitrary Java code execution (`Runtime.exec()`).
When chained, CVE-2025-4427 provides the necessary unauthenticated access to trigger CVE-2025-4428, resulting in **Unauthenticated Remote Code Execution (RCE)**.
## Exploitation
- **Status:** **Exploited in the wild** (Observed since May 16th, 2025, targeting cloud environments).
- **Complexity:** Low (Due to the ability to chain an authentication bypass with an RCE sink).
- **Attack Vector:** Network (External access to public-facing appliances).
## Impact
- **Confidentiality:** High (Full system compromise likely).
- **Integrity:** High (Full system compromise likely).
- **Availability:** High (Full system compromise likely).
## Remediation
### Patches
Ivanti recommends patching EPMM to the following versions:
- 11.12.0.5
- 12.3.0.2
- 12.4.0.2
- 12.5.0.1
### Workarounds
1. Implement **network-level restrictions** to block access to the following endpoints until patches can be applied:
* `/rs/api/v2/*`
* `/mifs/rs/api/v2/*`
2. Prioritize patching internet-facing appliances immediately.
## Detection
- **Indicators of Compromise (IOCs):**
* **File Hashes (SHA1):**
* `1b1dda5e8e26da568559e0577769697c624df30e` (Sliver Beacon)
* `ac389c8b7f3d2fcf4fd73891f881b12b8343665b` (Sliver Beacon)
* **Network IOCs (Observed C2 IP Addresses):**
* `77.221.157[.]154`
* `79.96.45[.]181`
* **Associated Domains/C2 Infrastructure (Possibly linked to the same threat actor):**
* `elektrohater[.]pl`
* `wagodirect[.]pl`
* `e-wago[.]pl`
- **Detection Methods and Tools:** Utilize security scanning tools (e.g., Wiz) capable of agentless scanning, exploitability validation, and analyzing disk/runtime logs on cloud virtual appliances to identify vulnerable software versions and deployed malware artifacts.
## References
- Ivanti advisory: `forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US&ref=labs.watchtowr.com`
- WatchTowr blogpost: `labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/`
- ProjectDiscovery blogpost: `projectdiscovery.io/blog/ivanti-remote-code-execution`