The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently incorporated two critical zero-day vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM) into its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, are actively being exploited in the wild, posing significant risks to organizations utilizing Ivanti’s EPMM platform.
Details of the Vulnerabilities
The vulnerabilities were initially reported to Ivanti by CERT-EU, the European Union’s Cybersecurity Service. The exploit chain leverages a fundamental flaw in the execution sequence of Spring MVC’s argument resolution.
– CVE-2025-4427: This vulnerability resides in the API component of Ivanti EPMM and allows attackers to bypass authentication controls by sending specially crafted API requests. The root cause is an insecure implementation of the Spring Framework open-source library, leading to unauthorized access to protected resources. This vulnerability is associated with CWE-288 (Authentication Bypass).
– CVE-2025-4428: This flaw enables an authenticated attacker to execute arbitrary code remotely through crafted API requests. It arises from an insecure use of the Hibernate Validator open-source library. This vulnerability corresponds to CWE-94 (Code Injection).
When exploited together, these vulnerabilities can allow unauthenticated remote code execution on affected systems, significantly escalating the threat level.
Technical Analysis
Security researchers from ProjectDiscovery have provided insights into the technical details of these vulnerabilities. They explained that Spring MVC binds query parameters to `DeviceFeatureUsageReportQueryRequest`, and the `@Valid` annotation triggers `DeviceFeatureUsageReportQueryRequestValidator.isValid()`. The validator calls `localizedMessageBuilder`, inserting untrusted format values into a message template. The template is parsed by the Expression Language (EL) engine, where any `${…}` expression is evaluated immediately. Only after validation finishes does `MethodSecurityInterceptor` execute the `@PreAuthorize` check, which is too late to prevent exploitation.
The vulnerabilities affect the `/api/v2/featureusage` and `/api/v2/featureusage_history` endpoints and stem from insecure implementations of two open-source libraries: Spring Framework and Hibernate Validator.
Proof-of-Concept and Exploitation
On May 15, watchTower labs published a proof-of-concept exploit on GitHub, significantly increasing the risk of widespread attacks. The Shadowserver Foundation reported that 798 instances remained vulnerable as of May 19, down from 940 on May 16.
This marks another security incident for Ivanti, following multiple vulnerabilities in their products earlier this year. In January, threat actors exploited zero-day flaws in Ivanti Connect Secure VPN devices, while in March, CISA added three critical Ivanti Endpoint Management vulnerabilities to the KEV catalog. A separate critical vulnerability (CVE-2025-22457) affecting Ivanti Connect Secure was added to the KEV catalog in April after Chinese state-sponsored actors exploited it in cyber espionage campaigns.
Affected Products and Impact
The vulnerabilities affect Ivanti EPMM versions up to and including 12.5.0.0 (on-premises deployments).
– CVE-2025-4427: Allows authentication bypass via API, enabling access to protected resources.
– Exploit Prerequisites: Network access to EPMM API endpoints.
– CVSS 3.1 Score: 5.3 (Medium).
– CVE-2025-4428: Enables authenticated remote code execution via code injection in API requests.
– Exploit Prerequisites: Network access to EPMM API endpoints; authentication (which can be bypassed via CVE-2025-4427).
– CVSS 3.1 Score: 7.2 (High).
Recommended Actions
Organizations using Ivanti EPMM should immediately upgrade to patched versions: 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1. Alternatively, Ivanti recommends implementing API filtering rules to mitigate the vulnerabilities.
Conclusion
The inclusion of these vulnerabilities in CISA’s KEV catalog underscores the critical nature of the threats posed by CVE-2025-4427 and CVE-2025-4428. Organizations must act swiftly to apply the necessary patches or mitigations to protect their systems from potential exploitation.
