Ivanti EPMM Hit by Two Actively Exploited 0day Vulnerabilities

Ivanti EPMM users urgently need to patch against actively exploited 0day vulnerabilities (CVE-2025-4427, CVE-2025-4428) that enable pre-authenticated remote code execution, warns watchTowr.

Cybersecurity researchers at watchTowr have shared details of two security vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software, identified as CVE-2025-4427 and CVE-2025-4428 that can be combined to gain complete control over affected systems and are actively exploited by attackers.

Ivanti EPMM is a Mobile Device Management (MDM) solution system, crucial for enterprise security, acting as a central point to control software deployment and enforce policies on employee devices. However, the abovementioned flaws are turning this management tool into a potential entry point for malicious actors. watchTowr’s analysis, shared with Hackread.com, indicates that exploiting these vulnerabilities is surprisingly straightforward.

The first vulnerability, CVE-2025-4427, is an authentication bypass flaw, which allows attackers to access protected parts of the Ivanti EPMM system without needing proper login credentials. The second vulnerability, CVE-2025-4428, is a remote code execution (RCE) flaw, which, if exploited, can let attackers run their own malicious code on the server.

Ivanti itself has acknowledged the severity when these issues are combined, stating that “successful exploitation could lead to unauthenticated remote code execution.” They have also reported awareness of a “very limited number of customers who have been exploited” since the vulnerabilities were disclosed.

This suggests that while the attacks might be targeted currently, they could become more widespread. watchTowr notes that once such targeted attacks become public, it’s common for attackers to start mass exploitation to find any remaining vulnerable systems.

Interestingly, Ivanti stated that the vulnerabilities are not in their own code but are “associated with two open-source libraries integrated into EPMM.” They emphasized that using open-source code is a standard practice in the tech industry.

watchTowr discovered an RCE vulnerability (CVE-2025-4428) in the hibernate-validator library, allowing attackers to inject malicious code through a parameter called “format” in API requests. watchtower successfully demonstrated this vulnerability by sending a simple web request that executed a calculation, proving code injection was possible. Moreover, they could execute system commands, like creating a file on the server.

The authentication bypass (CVE-2025-4427) is an “order of operations” issue rather than a traditional bypass. A crafted “format” parameter in a request to the /api/v2/featureusage_history endpoint triggers the vulnerable validation process before the authentication check, allowing an unauthenticated attacker to trigger the code execution vulnerability. The presence of the parameter changes the processing order, eliminating the need to log in first.

watchTowr successfully chained these two vulnerabilities in the Ivanti EPMM server by sending a crafted web request to the /rs/api/v2/featureusage endpoint with a malicious “format” parameter, allowing them to execute system commands without logging in, thus, creating a pre-authenticated RCE scenario.

These vulnerabilities pose a critical risk to organizations using affected versions. Patches are available for versions 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0 and organizations using older unpatched versions are advised to update immediately