Secure Cyber Vulnerability Management

21/05/2025
Qualys-Threat-Protect

CISA Warns of Ivanti EPMM Unauthenticated Remote Code Execution Vulnerabilities (CVE-2025-4427 & CVE-2025-4428)

by Deepanshu Jha

Ivanti released security updates to address two high security vulnerabilities impacting its Endpoint Manager Mobile (EPMM). Tracked as CVE-2025-4427 and CVE-2025-4428, the vulnerabilities are being exploited in the wild. The advisory states, “When chained together, successful exploitation could lead to unauthenticated remote code execution.”

CISA added the CVEs to its Known Exploited Vulnerabilities Catalog and requested users to patch the vulnerabilities before June 9, 2025.

Ivanti Endpoint Manager Mobile (Ivanti EPMM) is a mobile management software engine that enables IT to set policies for mobile devices, applications, and content.

CVE-2025-4427

The authentication bypass in Ivanti Endpoint Manager Mobile could allow attackers to access protected resources without proper credentials.

CVE-2025-4428

The remote code execution vulnerability in Ivanti Endpoint Manager Mobile could allow attackers to execute arbitrary code on the target system.

Vulnerabilities Details

The vulnerabilities stem from improper user input handling within Hibernate Validator’s ConstraintValidatorContext.buildConstraintViolationWithTemplate method. Untrusted input is inserted into error messages without proper sanitization, leading to server-side template injection (SSTI) or Expression Language (EL) injection. At runtime, these templates are processed by Spring’s StandardELContext, inadvertently executing any embedded expressions.

The Qualys Threat Research Unit confirmed the vulnerability by successfully testing the proof of concept in the lab environment.

Image Source: Qualys Threat Research Unit

Affected Versions

  • Ivanti EPMM versions 11.12.0.4 and before
  • Ivanti EPMM versions 12.3.0.1 and before
  • Ivanti EPMM versions 12.4.0.1 and before
  • Ivanti EPMM versions 12.5.0.0 and before

Mitigation

Users must upgrade to the following versions to patch the vulnerabilities:

  • Ivanti EPMM version 11.12.0.5
  • Ivanti EPMM version 12.3.0.2
  • Ivanti EPMM version 12.4.0.2
  • Ivanti EPMM version 12.5.0.1

For more information, please refer to the Ivanti Security Advisory.

Qualys Detection

Qualys customers can scan their devices with QID 732523 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US

Comments are closed.

You may also like