Vital safety flaws have been uncovered in Ivanti Endpoint Supervisor Cell (EPMM), a extensively used cellular system administration (MDM) resolution, exposing organizations to the chance of unauthenticated distant code execution (RCE).
The vulnerabilities, tracked as CVE-2025-4427 and CVE-2025-4428, have been actively exploited within the wild, prompting pressing requires patching from safety businesses and Ivanti itself.
Ivanti Endpoint Supervisor Vulnerabilities
Based on the WatchTowr report, the 2 vulnerabilities, when chained, permit attackers to bypass authentication and execute arbitrary code on affected techniques:
CVE-2025-4427 (CVSS 5.3): An authentication bypass flaw that permits unauthenticated attackers to entry protected API endpoints with out legitimate credentials.
CVE-2025-4428 (CVSS 7.2): A distant code execution vulnerability that lets attackers run arbitrary code on the goal system, leveraging user-controlled enter in API requests to inject and execute Java Expression Language (EL) payloads.
These vulnerabilities are current in all on-premises variations of Ivanti EPMM previous to and together with 12.5.0.0, with patches accessible in variations 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1.
The assault chain exploits a flaw within the /api/v2/featureusage endpoint. Right here, improper validation of the format parameter permits an attacker to inject malicious Java EL expressions.
In weak variations, this enter is handed immediately into error messages, that are processed by the Spring Framework’s message supply, leading to code execution on the server.
The authentication bypass (CVE-2025-4427) arises as a consequence of a misconfiguration within the utility’s safety routing, permitting attackers to achieve the weak endpoint with out prior authentication.
The report reads that this “order of operations” challenge lets malicious requests set off the RCE vulnerability (CVE-2025-4428) even when unauthenticated.
Exploitation within the Wild
Ivanti and a number of cybersecurity businesses have confirmed restricted, focused exploitation of those vulnerabilities, with a powerful probability of broader assaults as proof-of-concept code circulates publicly.
The failings are significantly harmful as a result of MDM options like EPMM have broad entry to managed gadgets, making mass deployment of malware or ransomware an actual risk if compromised.
The vulnerabilities stem from the mixing of two open-source libraries inside EPMM, not Ivanti’s proprietary code. This highlights the dangers related to third-party dependencies in enterprise software program.
Profitable exploitation can permit attackers to put in packages, entry delicate knowledge, or disrupt system administration throughout total organizations.
Ivanti has launched patches and strongly urges all prospects to replace to the newest mounted variations instantly. Organizations unable to improve ought to seek the advice of Ivanti’s advisory for short-term mitigations and intently monitor for indicators of compromise.
Safety consultants warn that, given the essential nature and public availability of exploit code, unpatched techniques are at imminent threat.
Businesses, together with the NHS, ASD, and CERT-EU, have echoed the urgency, advising immediate motion to forestall widespread exploitation.
The invention and ongoing exploitation of those Ivanti EPMM vulnerabilities underscore the persistent dangers posed by each open-source dependencies and misconfigured safety controls in enterprise environments.
Organizations utilizing Ivanti EPMM ought to prioritize patching and evaluate their publicity to attenuate the chance of compromise.
Vulnerability Assault Simulation on How Hackers Quickly Probe Web sites for Entry Factors – Free Webinar
