CVE-2025-4427 and CVE-2025-4428 Detection: Ivanti EPMM Exploit Chain Leading to RCE
Table of contents:
Following the disclosure of CVE-2025-31324, an unauthenticated file upload vulnerability in SAP NetWeaver enabling RCE, two more security flaws have surfaced in Ivanti Endpoint Manager Mobile (EPMM) software. Identified as CVE-2025-4427 and CVE-2025-4428, these vulnerabilities can be chained together to achieve RCE on vulnerable devices without requiring authentication.
Detect CVE-2025-4427 and CVE-2025-4428 Exploit Chain
With the sharp rise in vulnerabilities across widely used software and their rapid weaponization in real-world attacks, the need for proactive threat detection is vital. In the first half of 2025, NIST logged more than 18,000 vulnerabilities, many of which are already testing the limits of SOC teams around the globe. As cyber threats grow more advanced, early detection becomes essential to staying ahead of attackers and minimizing damage.
Register now for the SOC Prime Platform to access an extensive library of context-enriched detection rules, helping you stay one step ahead of attacks leveraging emerging vulnerabilities. The platform features curated detections for the latest Ivanti EPMM exploit chain (CVE-2025-4427, CVE-2025-4428), backed by a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection. Click the Explore Detections button below to dive into the relevant detection stack.
Security professionals can also browse the Threat Detection Marketplace using the “CVE-2025-4427” and “CVE-2025-4428” tags for more targeted content. To explore a wider set of detection rules related to vulnerability exploitation, simply apply the “CVE” tag to view the full collection.
Additionally, security professionals might streamline threat investigation using Uncoder AI – a private IDE & co-pilot for threat-informed detection engineering – now completely free and available without token limits on AI features. Generate detection algorithms from raw threat reports, enable fast IOC sweeps into performance-optimized queries, predict ATT&CK tags, optimize query code with AI tips, and translate it across multiple SIEM, EDR, and Data Lake languages.
CVE-2025-4427 and CVE-2025-4428 Analysis
Ivanti has recently addressed two newly identified vulnerabilities in the API component of its EPMM software, which can be chained together, giving attackers the green light to remotely execute code on unpatched devices without authentication. The flaws include CVE-2025-4427 (with a CVSS score of 5.3), an authentication bypass that lets attackers access restricted resources without valid credentials, and CVE-2025-4428 (with a CVSS score reaching 7.2), an RCE flaw that enables adversaries to run arbitrary code on affected systems.
The vendor claimed that only a limited number of customers were impacted at the time of the vulnerability disclosure. The security issues are tied to two open-source libraries used in EPMM, and it remains unclear if other software using them is also affected. The company emphasized that customers using API filtering, via Portal ACLs or an external WAF, face significantly lower risk. The issue affects only the on-premises EPMM instances and does not impact Ivanti Neurons for MDM, Ivanti Sentry, or any other product offerings.
Meanwhile, the watchTower Labs researchers have published a PoC (Pre-Auth RCE Chain 1day Detection Artifact Generator Tool) on GitHub, showcasing how the flaws can be chained to gain RCE in Ivanti EPMM. Defenders observed that although the third-party library “hibernate-validator” was updated from version 6.0.22 to 6.2.5, arbitrary commands could still be run by sending a specially crafted HTTP GET request to “/mifs/admin/rest/api/v2/featureusage.” It also clarified that CVE-2025-4427 is less an authentication bypass and more a logic flaw, an “order of operations” issue. where security boundaries are applied incorrectly in the code. Researchers questioned whether this is truly a third-party vulnerability or a result of unsafe use of known risky functions.
As vulnerabilities affect EPMM versions up to 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0, defenders recommend promptly applying the fixes available in the next patch releases addressed by the vendor. More specifically, upgrading to the corresponding software versions, 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1, serves as an effective CVE-2025-4427 and CVE-2025-4428 mitigation measure to minimize the risks of exploit chain attacks. SOC Prime Platform equips global organizations in diverse industry verticals and individual researchers with a cutting-edge, AI-powered product suite to proactively defend against cyber threats of any scale and sophistication, including critical CVEs and zero-days that are continuously emerging in popular software.
