Ivanti EPMM 0-Day RCE Vulnerability Under Active Attack

Ivanti’s Endpoint Manager Mobile (EPMM) contains a critical vulnerability chain that has been actively abused.

The vulnerabilities, initially disclosed by Ivanti on March 13th, 2025, combine an authentication bypass (CVE-2025-4427) and a remote code execution flaw (CVE-2025-4428) to create a critical attack vector that allows unauthenticated attackers to execute arbitrary code on vulnerable systems.

While the individual vulnerabilities received CVSS scores of 5.3 and 7.2 respectively, their combined impact elevates the threat to critical levels.

Exploitation has been observed since May 16th following the publication of proof-of-concept exploits by multiple security firms.

Authentication Bypass and RCE Vulnerability Details

The vulnerability chain begins with CVE-2025-4427, an authentication bypass stemming from improper request handling in EPMM’s route configuration.

Certain API endpoints, including /rs/api/v2/featureusage, were mistakenly exposed without authentication requirements due to missing security configurations.

This flaw allows attackers to access protected endpoints without valid credentials. When chained with CVE-2025-4428, a post-authentication remote code execution vulnerability in the DeviceFeatureUsageReportQueryRequestValidator component, attackers can achieve full system compromise.

The RCE vulnerability exploits unsafe handling of user input within error messages processed via Spring’s AbstractMessageSource, enabling Java Expression Language injection through a crafted format parameter that can execute arbitrary Java code.

Affected Systems and Patching Information

Ivanti has confirmed that multiple versions of their Endpoint Manager Mobile platform are vulnerable to these attacks.

The affected versions include EPMM 11.12.0.4 and prior, 12.3.0.1 and prior, 12.4.0.1 and prior, and 12.5.0.0 and prior.

Organizations running these versions are urged to implement patches immediately as exploitation attempts continue to increase.

The vulnerabilities’ severity is amplified in cloud environments where EPMM instances may be directly exposed to the internet, providing attackers with an accessible attack surface.

Evidence of Sophisticated Threat Actor

Wiz Research has identified a specific threat actor actively exploiting these vulnerabilities in multiple cloud environments.

Analysis of attack infrastructure revealed that exploited systems are being infected with a Sliver beacon communicating with the command and control server at 77.221.157.154.

This IP address has been linked to previous campaigns targeting PAN-OS vulnerabilities (CVE-2024-0012 and CVE-2024-9474) earlier this year, suggesting a pattern of opportunistic attacks against network security appliances.

The threat actor maintains operational continuity, using consistent infrastructure including the same SSL certificate since November 2024.

Additional servers and domains associated with this actor include several Polish IP addresses and domains such as elektrobohater.pl, wagodirect.pl, and e-wago.pl.

This ongoing campaign highlights the speed at which sophisticated actors can weaponize newly disclosed vulnerabilities against critical infrastructure components.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!