EPMM: authentication bypass in Ivanti Endpoint Manager Mobile API (CVE-2025-4427) #shorts
Summary
Today we’re discussing CVE-2025-4427, one half of an unauthenticated remote code execution chain in Ivanti Endpoint Manager Mobile. Discovered by watchTowr Labs and disclosed on May 13, 2025, this flaw allows attackers to bypass authentication in the EPMM API, reach protected endpoints, and chain into full RCE. Ivanti has confirmed active exploitation, urging all customers to patch immediately.
Product details
The affected product is Ivanti Endpoint Manager Mobile (EPMM), a mobile device management platform used by enterprises to secure and manage smartphones and tablets. Versions up to and including 12.5.0.0 are vulnerable. Ivanti released a fix in version 12.5.0.1, which is marked unaffected.
Vulnerability type summary
CVE-2025-4427 is classified under CWE-288: Authentication Bypass Using an Alternate Path or Channel. In plain terms, an attacker can reach API functions that should require valid credentials and trick the system into granting unauthorized access, forming the first step in an unauthenticated RCE chain alongside CVE-2025-4428.
Details of the vulnerability
The flaw resides in the EPMM API component, which fails to enforce proper session or token checks on certain endpoints. By crafting a specially formatted request to the API, an attacker can bypass login checks, then leverage secondary flaws (covered under CVE-2025-4428) to execute arbitrary code on the server. Ivanti confirms these vulnerabilities have been exploited in the wild, targeting corporate users who delay patching. The security advisory recommends upgrading to EPMM 12.5.0.1 or applying the provided hotfix immediately.
Conclusion
This is a critical vulnerability with real-world exploitation. If you run Ivanti EPMM 12.5.0.0 or earlier, prioritize an immediate upgrade to 12.5.0.1. Review your logs for unusual API traffic, tighten network controls around management servers, and ensure your incident response team is on alert. Staying current on vendor advisories and applying patches without delay remains your best defense.
Watch the full video on YouTube: CVE-2025-4427
Remediation and exploitation details
This chain involves the following actors
- Unauthorized remote attacker: Exploiter
- System administrator: Defender
This following systems are involved
- Ivanti Endpoint Manager Mobile server (Manages mobile device connectivity and security): Target of attack
- Protected device configuration data (Stores configuration and policy details for managed devices): Asset to protect
Attack entry point
- Mobile management API: HTTP interface handling authentication and device configuration requests
Remediation actions
Exploitation actions
Network service discovery
- Run a port scan against the server on TCP port 443
- Send an HTTP OPTIONS request to https://epmm.example.com/api
Request manipulation
- Remove the Authorization header from the request
- Submit an empty JSON object in place of a login payload
Protocol violation
- POST https://epmm.example.com/api/login with no username or password fields
- Alter session token parameter to an invalid value
Unauthorized API access
- GET https://epmm.example.com/api/devices to list all managed devices
- GET https://epmm.example.com/api/configuration to read device policies
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM
- [2025-05-14] Ivanti released a security advisory for two vulnerabilities in its Endpoint Manager Mobile (EPMM) product.
- [2025-05-13] Ivanti confirms exploitation of vulnerabilities in EPMM, urges customers to patch.
- [2025-05-15] Ivanti EPMM Unauth RCE Chain (CVE-2025-4427 and CVE-2025-4428) vulnerability discovered by watchTowr Labs.