CVE-2025-4428

What is Ivanti Endpoint Manager Mobile (EPMM)?

Ivanti Endpoint Manager Mobile (EPMM), formerly branded as MobileIron Core, is an enterprise Mobile Device Management (MDM) platform used by organizations to centrally manage and secure smartphones, tablets, and other mobile devices across their workforce. It is widely deployed in government agencies, healthcare organizations, telecommunications companies, and large enterprises to enforce mobile security policies, distribute applications, and manage device compliance.

Key functions include:

• Device enrollment and lifecycle management — provision, configure, and retire corporate and BYOD mobile devices
• Policy enforcement — push security policies (encryption, screen lock, app restrictions) to enrolled devices
• Application management — distribute, update, and remotely wipe enterprise applications from a central console
• VPN and network access — configure and distribute VPN profiles and certificates to managed endpoints
• Compliance monitoring — continuously assess enrolled device posture and flag non-compliant devices

EPMM is typically deployed as an on-premises appliance with its management interface exposed to the internet for device check-ins. A compromised EPMM server provides attackers with access to LDAP user databases, Office 365 refresh and access tokens, managed device metadata, and the ability to push malicious configurations to every enrolled mobile device — making it a recurring target for nation-state espionage operations.

Overview

CVE-2025-4428 is a code injection vulnerability (CWE-94) in Ivanti EPMM's API component that allows an attacker to execute arbitrary Java code on the server by injecting Spring Expression Language (EL) expressions into a vulnerable API endpoint. The vulnerability exists in the DeviceFeatureUsageReportQueryRequestValidator, which processes user-supplied input through Spring's AbstractMessageSource without neutralizing EL expression syntax.

Although CVE-2025-4428 formally requires high privilege (CVSS PR:H, CVSS score 7.2), its practical severity is dramatically elevated when chained with CVE-2025-4427 (authentication bypass). Together, the two vulnerabilities form an unauthenticated remote code execution chain accessible to any attacker who can reach the EPMM management interface over the network.

Both vulnerabilities were exploited as zero-days prior to Ivanti's May 13, 2025 disclosure. Exploitation was subsequently attributed by EclecticIQ to UNC5221, a China-nexus cyber-espionage group with a documented history of targeting Ivanti products since at least 2023. The companion CVE-2025-35036 documents the upstream Hibernate Validator library component involved.

Affected Versions

Ivanti recommends prioritizing internet-facing appliances when applying patches.

Technical Details

CVE-2025-4428 is a Spring Expression Language (EL) injection vulnerability rooted in the unsafe handling of user-supplied input within EPMM's feature usage report API. The DeviceFeatureUsageReportQueryRequestValidator class processes user-controlled request parameters and passes them through Spring's AbstractMessageSource for message interpolation — without sanitizing EL expression syntax characters.

When a request to /rs/api/v2/featureusage includes a format parameter containing EL expression syntax (such as ${Runtime.getRuntime().exec('id')}), Spring's message interpolation engine evaluates the expression as executable code rather than treating it as literal string data. This results in arbitrary Java code execution under the EPMM service account.

Exploit chain with CVE-2025-4427:

1. Attacker sends an HTTP request to /rs/api/v2/featureusage without credentials — authentication is bypassed because this route lacks <intercept-url> rules in the Spring Security configuration (CVE-2025-4427)
2. The format request parameter is set to a crafted EL expression payload
3. DeviceFeatureUsageReportQueryRequestValidator processes the format parameter through AbstractMessageSource, which evaluates the EL expression
4. Arbitrary Java code executes on the EPMM server under the EPMM service account, with full access to the server's filesystem, database, and network

The vulnerability is attributed in part to the insecure implementation of a bundled Hibernate Validator library component (documented separately as CVE-2025-35036). watchTowr Labs used the technique of Java Reflection within their PoC to execute commands via the EL injection sink, demonstrating that the attack does not require any special tools beyond a crafted HTTP request.

Attack characteristics:

• When chained with CVE-2025-4427: no credentials or prior access required
• Achieves full RCE — arbitrary Java code execution on the EPMM appliance
• Exploitable over the internet against any EPMM instance with a reachable management interface
• Public PoC available from watchTowr Labs and ProjectDiscovery since May 15, 2025

Discovery

CVE-2025-4428 was disclosed alongside CVE-2025-4427 on May 13, 2025. Ivanti stated that both vulnerabilities had already been exploited against a limited number of customers prior to the advisory. watchTowr Labs published the first detailed public technical analysis including a working proof-of-concept exploit on May 15, 2025, documenting the EL injection mechanism and the Spring Security misconfiguration that enables unauthenticated access to the vulnerable endpoint. ProjectDiscovery independently published a technical analysis and PoC the same day. Wiz Threat Research and EclecticIQ subsequently documented exploitation in the wild and threat actor attribution.

Exploitation Context

CVE-2025-4428 was actively exploited as a zero-day and subsequently weaponized at scale following PoC publication:

• Zero-day exploitation: Ivanti confirmed at disclosure that CVE-2025-4427 and CVE-2025-4428 had both been exploited in the wild against a limited set of customers before the May 13, 2025 advisory.
• Post-PoC exploitation surge: Wiz Threat Research observed exploitation activity beginning May 16, 2025 — coinciding with PoC publication by watchTowr Labs and ProjectDiscovery — indicating rapid operationalization of the public exploit.
• UNC5221 attribution: EclecticIQ attributed approximately 20 attacks targeting internet-facing EPMM deployments to UNC5221, a China-nexus cyber-espionage group. EclecticIQ assessed this attribution with high confidence based on infrastructure reuse, hard-coded credential abuse patterns, and tradecraft alignment with prior UNC5221 campaigns against Ivanti products.
• Post-exploitation tradecraft: UNC5221 used the RCE chain to deploy KrustyLoader (a loader fetched from attacker-controlled AWS S3 buckets), which injected the Sliver backdoor directly into server memory to evade file-based detection. The actors used Fast Reverse Proxy (FRP) for network reconnaissance and lateral movement. They accessed the EPMM MySQL database using hard-coded credentials stored at /mi/files/system/.mifpp, extracting LDAP user data, managed device metadata, and Office 365 refresh and access tokens.
• Webshell deployment: Wiz Research documented attackers uploading webshells to EPMM servers, including the Behinder webshell family retrieved from public hosting services (Pastebin, GitHub) and Base64-encoded payloads executed inline via the RCE chain.
• Targeted sectors and regions: Confirmed targets include organizations in healthcare, telecommunications, aviation, municipal government, finance, and defense across Europe, North America, and the Asia-Pacific region.
• Continued Ivanti targeting pattern: UNC5221 and related China-nexus threat actors have repeatedly exploited Ivanti EPMM zero-days since 2023, demonstrating sustained strategic interest in compromising MDM infrastructure to gain lateral access into enterprise and government mobile environments.

Remediation

1. Apply the patch immediately — upgrade to EPMM 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1 depending on your installed version; prioritize internet-facing appliances
2. Treat CVE-2025-4428 and CVE-2025-4427 as a paired chain — both vulnerabilities must be patched together; addressing the RCE sink alone does not fully eliminate risk if the authentication bypass remains exploitable via other paths
3. Restrict internet access to the EPMM management interface — place EPMM behind a VPN gateway or restrict management interface access to allowlisted IPs via firewall ACLs; the attack chain requires only a single reachable endpoint
4. Review web server logs — examine EPMM logs for requests to /rs/api/v2/featureusage; look for format parameter values containing EL expression syntax (${, #{, T()
5. Hunt for webshells and in-memory implants — check for unexpected JSP or WAR files in EPMM web directories; look for unusual processes spawned by the EPMM service account (particularly curl, wget, reverse shell connections, or processes loading from /tmp)
6. Audit database credentials and access — change any credentials stored in /mi/files/system/.mifpp; audit MySQL access logs for unauthorized queries; rotate LDAP and Office 365 credentials if the EPMM database was accessible during a suspected compromise window
7. Review enrolled device integrity — if EPMM was compromised, treat any mobile profiles, certificates, or applications deployed to enrolled devices during the compromise window as potentially malicious
8. Check for KrustyLoader and Sliver indicators — scan for KrustyLoader artifacts retrieved from S3 URLs and look for in-memory Sliver C2 beacons using memory scanning tools; review outbound network connections from the EPMM server for connections to unexpected infrastructure