Security researchers at watchTowr have published their analysis of two critical vulnerabilities in Ivanti's Endpoint Manager Mobile (EPMM) solution that form a dangerous exploit chain when combined. The vulnerabilities—CVE-2025-4427 and CVE-2025-4428—are already being actively exploited in the wild.
Ivanti EPMM is a mobile device management (MDM) solution widely used by organizations to manage employee devices. According to watchTowr's analysis, the vulnerabilities could allow attackers to gain complete control over the MDM platform, potentially enabling the deployment of malicious software across an organization's managed devices.
The first vulnerability (CVE-2025-4427) is an authentication bypass with a CVSS score of 5.3, while the second (CVE-2025-4428) is a remote code execution vulnerability with a CVSS score of 7.2. When chained together, they allow unauthenticated attackers to execute arbitrary code on vulnerable systems.
"When chained together, successful exploitation could lead to unauthenticated remote code execution," Ivanti stated in their advisory. "We are aware of a very limited number of customers who have been exploited at the time of disclosure."
WatchTowr's researchers discovered that the RCE vulnerability stems from improper handling of user input in the DeviceFeatureUsageReportQueryRequestValidator class. The vulnerability allows attackers to inject Java Expression Language payloads through the "format" parameter, which are then evaluated by the system.
The authentication bypass, meanwhile, is related to misconfiguration in Spring Security routing that allowed unauthenticated access to certain API endpoints. The researchers found they could send malicious requests to /mifs/rs/api/v2/featureusage without authentication.
"For those out of the loop, don't worry - as always, we're here to fill you in," wrote watchTowr. "Ivanti Endpoint Manager Mobile (EPMM) is an MDM solution for system administrators to install and manage devices within an organization. It hopes to prevent you from installing malware or enjoying your life by watching YouTube during any permitted and sanctioned downtime."
The researchers demonstrated how they could execute system commands like "id" and "touch /tmp/poc" on vulnerable systems.
Ivanti has released patches for the vulnerabilities in versions 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1. Organizations using Ivanti EPMM are strongly advised to update immediately, as these vulnerabilities represent a significant security risk, especially since they are already being exploited in targeted attacks.