Critical RCE in Ivanti EPMM

Two Critical Ivanti EPMM Flaws Under Active Exploitation: What You Need to Know

Two critical remote code execution (RCE) vulnerabilities—CVE-2025-4427 and CVE-2025-4428—have been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. These flaws allow unauthenticated remote attackers to execute arbitrary commands on affected systems. Ivanti disclosed these vulnerabilities on May 14, 2025, with active exploitation in the wild reported shortly thereafter. The vulnerabilities stem from improper input validation, enabling attackers to bypass authentication and execute system-level commands. These vulnerabilities pose a severe risk to enterprises using Ivanti’s mobile device management platform.

Impacted Technologies

  • Ivanti EPMM (MobileIron Core):
    • Version 11.10
    • Version 11.9
    • Version 11.8
    • Older, end-of-life versions may also be at risk and should be upgraded immediately or decommissioned.

Risk Level

Critical

These vulnerabilities carry a CVSS v3 score of 9.8, indicating high impact and ease of exploitation. Public exploit code is not yet available, but active exploitation in the wild has been confirmed by Ivanti and several security researchers.

Exploit Details:

  1. Attack Path:
    An unauthenticated remote attacker can directly send crafted requests to exposed Ivanti EPMM servers via HTTP/HTTPS. These requests exploit vulnerable API endpoints or input handling mechanisms to execute arbitrary commands.

  2. Exploitation:

    • CVE-2025-4427 involves a pre-authentication command injection vulnerability, allowing attackers to run OS commands as the root user.
    • CVE-2025-4428 is a secondary flaw that supports the initial attack chain by bypassing input sanitization mechanisms. It can be used in tandem with CVE-2025-4427 to maximize damage or establish persistence.

  3. Post-Exploitation:
    After successful exploitation, attackers can:

    • Establish backdoors or reverse shells
    • Exfiltrate sensitive data and credentials
    • Move laterally within the network
    • Install ransomware or additional malware payloads
    • Disable endpoint security solutions or monitoring agents

Mitigation:

Ivanti has released patches for supported versions and urges immediate updates:

  • Apply the latest security updates provided by Ivanti for EPMM versions 11.8 through 11.10.
  • Block external access to EPMM admin and API interfaces unless strictly required.
  • Monitor logs for unusual requests, especially to EPMM endpoints.
  • Conduct an IOC sweep using YARA rules or indicators provided by Ivanti and third-party security vendors.
  • Replace or decommission any end-of-life EPMM versions that cannot be patched.

Organizations unable to patch immediately should restrict access to vulnerable systems and deploy compensating network controls.