CVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution

Remote code execution vulnerability in a popular mobile device management solution from Ivanti has been exploited in the wild in limited attacks

Background

On May 13, Ivanti released a security advisory to address a high severity remote code execution (RCE) and a medium severity authentication bypass vulnerability in its Endpoint Manager Mobile (EPMM) product, a mobile management software that can be used for mobile device management (MDM), mobile application management (MAM) and mobile content management (MCM).

Analysis

CVE-2025-4427 is an authentication bypass vulnerability in Ivanti’s EPMM. An unauthenticated, remote attacker could exploit this vulnerability to gain access to the server’s application programming interface (API) that is normally only accessible to authenticated users.

CVE-2025-4428 is a RCE in Ivanti’s EPMM. An authenticated attacker could exploit this vulnerability to execute arbitrary code on a vulnerable device.

An attacker that successfully exploits these flaws could chain them together to execute arbitrary code on a vulnerable device without authentication. Both vulnerabilities are associated with open source libraries used by the EPMM software. Ivanti has indicated that these vulnerabilities have been exploited in the wild in a limited number of cases.

Customers that restrict API access via the Portal ACLs functionality or an external WAF have reduced exposure to these vulnerabilities.

Ivanti has credited the CERT-EU with reporting these vulnerabilities.

Proof of concept

At the time this blog post was published, there was no public proof-of-concept available for CVE-2025-4427 or CVE-2025-4428.

Solution

The following table details the affected and fixed versions of Ivanti EPMM f

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.