CVE-2025-4428

HIGH KEV

Ivanti EPMM Authentication Bypass for Expression Language Remote Code Execution

Title source: metasploit

Exploitation Summary

CVE-2025-4428 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added May 19, 2025. EIP tracks 4 public exploits from researchers including iSee857, xie-22, CERT-EU, Sonny Macdonald, Piotr Bazydlo, remmons-r7, including a Metasploit module exploits/multi/http/ivanti_epmm_rce_cve_2025_4427_4428.

AI-analyzed exploit summary The repository contains a functional exploit PoC for CVE-2026-22812, targeting OpenCode for remote command execution (RCE). The script sends a crafted JSON payload to the '/session' endpoint to establish a session, then executes the 'id' command via the '/session/{id}/shell' endpoint, verifying RCE by checking for 'uid=' and 'gid=' in the response.

Description

Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests.

Exploits (4)

github WORKING POC 40 stars

by iSee857 · pythonpoc

https://github.com/iSee857/CVE-PoC/tree/main/IvantiEPMM-CVE-2025-4428-RCE.py

View Code ZIP pw:eip

The repository contains a functional exploit PoC for CVE-2026-22812, targeting OpenCode for remote command execution (RCE). The script sends a crafted JSON payload to the '/session' endpoint to establish a session, then executes the 'id' command via the '/session/{id}/shell' endpoint, verifying RCE by checking for 'uid=' and 'gid=' in the response.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenCode (version not specified)

No auth needed

Prerequisites: Network access to the target · OpenCode service running and accessible

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 4 stars

by xie-22 · remote

https://github.com/xie-22/CVE-2025-4428

View Code ZIP pw:eip

This is a functional exploit PoC for CVE-2025-4428, leveraging SpEL injection in a Java-based web application to achieve remote command execution. The script generates a base64-encoded payload, constructs a malicious SpEL expression, and sends it to the target endpoint to trigger command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Unknown (Java-based web application with SpEL injection vulnerability)

No auth needed

Prerequisites: Network access to the target endpoint · Vulnerable version of the target software

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

vulncheck_xdb SCANNER

remote

https://github.com/watchtowrlabs/watchTowr-vs-Ivanti-EPMM-CVE-2025-4427-CVE-2025-4428

View Code ZIP pw:eip

The repository contains a Python script that detects vulnerability to CVE-2025-4427 and CVE-2025-4428 in Ivanti EPMM by sending a crafted HTTP request to a specific endpoint and checking the response for indicators of vulnerability. It does not exploit the vulnerability but confirms its presence.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Ivanti EPMM versions 11.12.0.4 and prior, 12.3.0.1 and prior, 12.4.0.1 and prior, 12.5.0.0 and prior

No auth needed

Prerequisites: Network access to the target Ivanti EPMM instance

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 25, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by CERT-EU, Sonny Macdonald, Piotr Bazydlo, remmons-r7 · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/ivanti_epmm_rce_cve_2025_4427_4428.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated RCE chain in Ivanti EPMM (CVE-2025-4427 and CVE-2025-4428) via expression language injection in an API endpoint. It executes commands as the 'tomcat' user and includes a check method to verify vulnerability.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ivanti EPMM (formerly MobileIron Core)

No auth needed

Prerequisites: Network access to the target · Vulnerable Ivanti EPMM instance

MITRE ATT&CK

T1210 - Exploitation of Remote Services T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-4428

Scores

CVSS v3 7.2

EPSS 0.4098

EPSS Percentile 97.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2025-05-19

VulnCheck KEV 2025-05-13

ENISA EUVD EUVD-2025-14387

CWE

CWE-94

Status published

Products (2)

ivanti/endpoint_manager_mobile 12.5.0.0

ivanti/endpoint_manager_mobile < 11.12.0.5

Published May 13, 2025

KEV Added May 19, 2025

Tracked Since Feb 18, 2026