CVE-2025-4427

What is Ivanti Endpoint Manager Mobile (EPMM)?

Ivanti Endpoint Manager Mobile (EPMM), formerly branded as MobileIron Core, is an enterprise Mobile Device Management (MDM) platform used by organizations to centrally manage and secure smartphones, tablets, and other mobile devices across their workforce. It is widely deployed in government agencies, healthcare organizations, telecommunications companies, and large enterprises to enforce mobile security policies, distribute applications, and manage device compliance.

Key functions include:

• Device enrollment and lifecycle management — provision, configure, and retire corporate and BYOD mobile devices
• Policy enforcement — push security policies (encryption, screen lock, app restrictions) to enrolled devices
• Application management — distribute, update, and remotely wipe enterprise applications from a central console
• VPN and network access — configure and distribute VPN profiles and certificates to managed endpoints
• Compliance monitoring — continuously assess enrolled device posture and flag non-compliant devices

EPMM is typically deployed as an on-premises appliance with its management interface exposed to the internet for device check-ins. A compromised EPMM server gives an attacker access to LDAP user databases, Office 365 refresh and access tokens, managed device metadata, and the ability to push configurations to every enrolled mobile device — making it a prime target for nation-state espionage operations seeking broad access to enterprise and government mobile infrastructure.

Overview

CVE-2025-4427 is an authentication bypass vulnerability (CWE-288) in Ivanti EPMM's API component that allows an unauthenticated attacker to access protected API resources without credentials. The vulnerability stems from an incomplete Spring Security route configuration — certain API routes (such as /rs/api/v2/featureusage) lacked the required <intercept-url> rules, leaving them unauthenticated by default.

Although CVE-2025-4427 carries a Medium CVSS score of 5.3 in isolation (limited confidentiality impact), its practical severity is dramatically elevated when chained with CVE-2025-4428 (code injection / EL injection). The combination enables fully unauthenticated remote code execution — a critical-severity attack chain requiring no credentials and a single HTTP request sequence.

Both vulnerabilities were exploited as zero-days prior to Ivanti's May 13, 2025 disclosure. Exploitation activity was subsequently attributed to UNC5221, a China-nexus cyber-espionage group that has repeatedly targeted Ivanti products since 2023.

Affected Versions

Ivanti recommends prioritizing internet-facing appliances when applying patches.

Technical Details

CVE-2025-4427 is an authentication bypass rooted in a misconfiguration of EPMM's Spring Security route authorization rules. Spring Security enforces access controls on HTTP routes through <intercept-url> configuration elements; routes not explicitly covered by these rules may default to unauthenticated access depending on the framework configuration.

In EPMM's case, routes including /rs/api/v2/featureusage were not included in the intercept-url rule set. As a result, an attacker can send requests to these endpoints without presenting valid credentials — bypassing the authentication layer entirely. watchTowr Labs characterized the flaw more precisely as an order-of-operations issue: validator logic in the affected endpoint executes before the authentication check, meaning the authentication check is effectively never reached for these routes.

Chaining with CVE-2025-4428 to achieve unauthenticated RCE:

1. Attacker sends an unauthenticated request to /rs/api/v2/featureusage (bypassing authentication via CVE-2025-4427)
2. The request includes a crafted format parameter containing a Spring Expression Language (EL) expression
3. EPMM's DeviceFeatureUsageReportQueryRequestValidator processes the user-controlled input through Spring's AbstractMessageSource without sanitization (CVE-2025-4428)
4. The EL expression is evaluated, resulting in arbitrary Java code execution under the EPMM service account

Attack characteristics:

• No credentials or prior access required when chained with CVE-2025-4428
• Exploitable over the internet against any EPMM instance with a reachable management interface
• Single chained HTTP request sequence sufficient to achieve unauthenticated RCE
• Public PoC available from watchTowr Labs and ProjectDiscovery since May 15, 2025

Discovery

CVE-2025-4427 and CVE-2025-4428 were disclosed together by Ivanti on May 13, 2025. Ivanti stated at disclosure that the vulnerabilities had already been exploited against a limited number of customers prior to the advisory. watchTowr Labs published the first detailed public technical analysis and proof-of-concept exploit code on May 15, 2025. ProjectDiscovery independently published a PoC and technical analysis the same day. Wiz Threat Research subsequently documented in-the-wild exploitation activity including webshell deployment patterns.

Exploitation Context

CVE-2025-4427 was exploited as part of a zero-day campaign subsequently attributed to a China-linked APT group:

• Zero-day exploitation: Ivanti confirmed at disclosure that both CVE-2025-4427 and CVE-2025-4428 had been exploited in the wild against a limited number of customers before the May 13, 2025 advisory.
• Post-PoC exploitation surge: Wiz Threat Research observed exploitation activity beginning May 16, 2025 — the day after watchTowr Labs and ProjectDiscovery published PoC exploit code — indicating opportunistic attackers rapidly operationalized the public exploit.
• UNC5221 attribution: EclecticIQ attributed approximately 20 attacks targeting internet-facing Ivanti EPMM deployments to UNC5221, a China-nexus cyber-espionage group with a documented history of targeting Ivanti products since 2023. EclecticIQ assessed this attribution with high confidence based on infrastructure reuse and observed tradecraft.
• Post-exploitation tradecraft (UNC5221): After gaining RCE via the CVE-2025-4427/4428 chain, UNC5221 deployed KrustyLoader (delivered from AWS S3 buckets), which injected the Sliver backdoor directly into memory. The actors also used Fast Reverse Proxy (FRP) for network reconnaissance and lateral movement. They accessed the EPMM MySQL database using hard-coded credentials stored at /mi/files/system/.mifpp, exfiltrating LDAP user data, managed device metadata, and Office 365 refresh and access tokens.
• Webshell deployment: Wiz Research identified attackers uploading webshells (including the Behinder webshell) to EPMM servers — some embedded directly in Base64-encoded commands executed via the RCE chain.
• Targeted sectors and regions: Confirmed targets span healthcare, telecommunications, aviation, municipal government, finance, and defense sectors across Europe, North America, and the Asia-Pacific region.

Remediation

1. Apply the patch immediately — upgrade to EPMM 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1 depending on your installed version; prioritize internet-facing appliances
2. Treat CVE-2025-4427 and CVE-2025-4428 as a paired chain — both vulnerabilities must be patched together; mitigating the authentication bypass alone does not prevent exploitation if the RCE sink (CVE-2025-4428) remains accessible via other authenticated paths
3. Restrict internet access to the EPMM management interface — place EPMM behind a VPN gateway or restrict management interface access to allowlisted IPs via firewall ACLs
4. Review web server logs — examine EPMM logs for unauthenticated requests to /rs/api/v2/featureusage and related API endpoints; look for unusual format parameter values containing EL expression syntax (e.g., ${, #{)
5. Hunt for webshells and in-memory implants — check for unexpected JSP or WAR files in EPMM directories; look for unusual process trees spawned by the EPMM service account, including processes invoking curl, wget, or launching reverse shell connections
6. Audit database access — review access to the EPMM MySQL database; check for unauthorized queries against user, device, and OAuth token tables; rotate LDAP and Office 365 credentials if compromise is suspected
7. Check enrolled device integrity — if EPMM was compromised, treat any mobile profiles, certificates, or applications deployed during the compromise window as potentially malicious and review them for unauthorized changes