CVE-2025-4427

MEDIUM KEV NUCLEI

Ivanti Endpoint Manager Mobile <= 12.5.0.0 - Unauthenticated Authentication Bypass via API

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-4427 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 19, 2025. EIP tracks 5 public exploits from researchers including İbrahimsql, iSee857, watchtowrlabs, including a Metasploit module exploits/multi/http/ivanti_epmm_rce_cve_2025_4427_4428. A Nuclei detection template is also available.

AI-analyzed exploit summary This Python script exploits CVE-2025-4427 (Expression Language Injection) and CVE-2025-4428 (Authentication Bypass) in Ivanti Endpoint Manager Mobile. It includes detection and exploitation capabilities for unauthenticated RCE via crafted requests to the featureusage API endpoint.

Description

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.

Exploits (5)

exploitdb WORKING POC
by İbrahimsql · pythonremotemultiple
https://www.exploit-db.com/exploits/52421

This Python script exploits CVE-2025-4427 (Expression Language Injection) and CVE-2025-4428 (Authentication Bypass) in Ivanti Endpoint Manager Mobile. It includes detection and exploitation capabilities for unauthenticated RCE via crafted requests to the featureusage API endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ivanti Endpoint Manager Mobile < 2025.1
No auth needed
Prerequisites: Network access to the target Ivanti EPM instance · Python 3.x with requests library
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WORKING POC 40 stars
by iSee857 · pythonpoc
https://github.com/iSee857/CVE-PoC/tree/main/IvantiEndpointManagerMobile-CVE-2025-4427-RCE.py

The repository contains a functional exploit PoC for CVE-2026-22812, demonstrating remote command execution (RCE) in OpenCode. The script sends a crafted JSON payload to the target's session endpoint, then executes the 'id' command via the shell endpoint, verifying RCE by checking for 'uid=' and 'gid=' in the response.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OpenCode (version not specified)
No auth needed
Prerequisites: Network access to the target · Target must be running a vulnerable version of OpenCode
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec SCANNER 11 stars
by watchtowrlabs · remote
https://github.com/watchtowrlabs/watchTowr-vs-Ivanti-EPMM-CVE-2025-4427-CVE-2025-4428

This script detects vulnerability to CVE-2025-4427 and CVE-2025-4428 in Ivanti EPMM by executing an `id` command via a crafted URL. It checks for a specific response pattern to determine vulnerability.

Classification
Scanner 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Ivanti EPMM versions 11.12.0.4 and prior, 12.3.0.1 and prior, 12.4.0.1 and prior, 12.5.0.0 and prior
No auth needed
Prerequisites: Network access to the target Ivanti EPMM instance
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by rxerium · poc
https://github.com/rxerium/CVE-2025-4427-CVE-2025-4428

This repository provides a detailed writeup and Nuclei template for detecting CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (post-auth RCE via EL injection in Ivanti EPMM). The chained vulnerabilities allow unauthenticated remote code execution.

Classification
Writeup 90%
Attack Type
Rce | Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Ivanti EPMM (versions 11.12.0.4 and prior, 12.3.0.1 and prior, 12.4.0.1 and prior, 12.5.0.0 and prior)
No auth needed
Prerequisites: Access to the target Ivanti EPMM instance · Nuclei installed to run the detection template
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by CERT-EU, Sonny Macdonald, Piotr Bazydlo, remmons-r7 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/ivanti_epmm_rce_cve_2025_4427_4428.rb

This Metasploit module exploits an unauthenticated RCE chain in Ivanti EPMM (CVE-2025-4427 and CVE-2025-4428) by bypassing authentication and injecting an expression language payload via a vulnerable API endpoint. It executes commands in the context of the 'tomcat' user.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ivanti EPMM (formerly MobileIron Core)
No auth needed
Prerequisites: Network access to the target · Vulnerable Ivanti EPMM instance
devstral-2 · analyzed Jun 05, 2026 Full analysis →

Nuclei Templates (1)

Ivanti Endpoint Manager Mobile - Unauthenticated Remote Code Execution
CRITICALVERIFIEDby iamnoooob,rootxharsh,parthmalhotra,pdresearch
Shodan: http.favicon.hash:"362091310"
FOFA: icon_hash="362091310"

References (2)

Core 2

Scores

CVSS v3 5.3
EPSS 0.9957
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2025-05-19
VulnCheck KEV 2025-05-13
ENISA EUVD EUVD-2025-14388
CWE
CWE-288
Status published
Products (2)
ivanti/endpoint_manager_mobile 12.5.0.0
ivanti/endpoint_manager_mobile < 11.12.0.5
Published May 13, 2025
KEV Added May 19, 2025
Tracked Since Feb 18, 2026