CISA Adds Actively Exploited Ivanti EPMM Zero-Day to KEV Catalog

Cybersecurity and Infrastructure Security Agency (CISA) has added two critical zero-day vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.

The flaws CVE-2025-4427 and CVE-2025-4428 enable authentication bypass and remote code execution, respectively, and stem from insecure implementations of widely used open-source libraries.

Federal agencies and private organizations must apply mitigations by June 9, 2025, under Binding Operational Directive 22-01.

CISA’s KEV catalog entry highlights the severity of these vulnerabilities in Ivanti’s enterprise mobility management solution, which handles mobile device deployment, security policies, and application management for global organizations.

The first flaw, CVE-2025-4427, allows unauthenticated attackers to bypass authentication mechanisms in EPMM’s API component due to improper configuration of the Spring Framework.

This vulnerability (CWE-288) could permit access to sensitive administrative interfaces or user data without credentials.

The second vulnerability, CVE-2025-4428, enables authenticated attackers to execute arbitrary code via the API through a mishandled validation process in the Hibernate Validator library (CWE-94).

This code injection flaw could allow threat actors to escalate privileges, deploy malware, or exfiltrate data from compromised systems.

While neither vulnerability has yet been linked to ransomware campaigns, their combination creates a potent attack vector for initial access and lateral movement.

Technical Analysis of Exploitation Pathways

The authentication bypass in CVE-2025-4427 originates from Spring Framework’s security context not properly validating API request headers, allowing attackers to spoof session tokens or manipulate endpoint permissions.

Security researchers note that this flaw could be exploited through crafted HTTP requests targeting EPMM’s administrative endpoints, potentially leading to full system compromise if combined with other vulnerabilities.

CVE-2025-4428’s code injection vulnerability arises from Hibernate Validator’s failure to sanitize input during data validation routines.

Attackers could exploit this by submitting malicious payloads in API parameters, which the system would then execute with elevated privileges.

This attack vector mirrors recent exploits targeting Java-based enterprise systems, where improper input validation allows command execution via HTTP request tampering.

Both vulnerabilities affect EPMM versions 11.8 through 11.12, which Ivanti has patched in its May 2025 security update.

However, organizations using custom API integrations or delayed update cycles remain at heightened risk, particularly given CISA’s confirmation of in-the-wild exploitation preceding the patch release.

Mitigation Strategies for Network Defenders

CISA mandates federal agencies to either apply Ivanti’s patches immediately or discontinue EPMM use by the June 9 deadline. For private sector organizations, CISA recommends:

1. Segmenting EPMM instances from critical network resources.
2. Monitoring API traffic for anomalous patterns indicative of exploitation.
3. Conducting forensic audits of EPMM systems for signs of compromise.

Ivanti’s advisory emphasizes upgrading to EPMM 11.13, which refactors the API’s authentication logic and implements strict input validation for Hibernate operations.

For organizations unable to patch immediately, temporary workarounds include disabling unused API endpoints and enforcing network-level access controls.

These vulnerabilities underscore the risks inherent in third-party library dependencies within enterprise software.

According to the Report, CISA’s KEV listing serves as a critical prioritization tool for defenders, enabling focused remediation efforts against actively exploited threats.

As threat actors increasingly target enterprise mobility infrastructure, proactive vulnerability management remains essential to mitigating supply chain risks.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!