The U.S. Cybersecurity and Infrastructure Security Agency (CISA) officially added two critical zero-day vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities (KEV) catalog. 

These vulnerabilities, CVE-2025-4427 and CVE-2025-4428, are actively exploited in the wild and pose significant risks to organizations using Ivanti’s EPMM platform.

Ivanti EPMM Vulnerabilities Exploited in the Wild

The vulnerabilities were initially reported to Ivanti by CERT-EU, the European Union’s Cybersecurity Service.

The exploit chain leverages a fundamental flaw in the execution sequence of Spring MVC’s argument resolution. 

CVE-2025-4427 exists in the API component of Ivanti EPMM and allows attackers to bypass authentication controls by sending specially crafted API requests. 

The root cause is an insecure implementation of the Spring Framework open-source library, leading to unauthorized access to protected resources. 

This vulnerability is associated with CWE-288 (Authentication Bypass).

CVE-2025-4428 enables an authenticated attacker to execute arbitrary code remotely through crafted API requests. 

It arises from an insecure use of the Hibernate Validator open-source library. This vulnerability corresponds to CWE-94 (Code Injection).

When chained together, these vulnerabilities can allow unauthenticated remote code execution on affected systems, significantly escalating the threat level.

Security researchers from ProjectDiscovery explained the technical details: Spring MVC binds query parameters to DeviceFeatureUsageReportQueryRequest, @Valid triggers DeviceFeatureUsageReportQueryRequestValidator.isValid(), and the validator calls localizedMessageBuilder, inserting untrusted format value into a message template. 

The template is parsed by the EL engine; any ${…} expression is evaluated immediately. Only after validation finishes does MethodSecurityInterceptor execute the @PreAuthorize check—which is obviously too late”.

The vulnerabilities affect the “/api/v2/featureusage” and “/api/v2/featureusage_history” endpoints and stem from insecure implementations of two open-source libraries: Spring Framework and Hibernate Validator.

On May 15, watchTower labs published a proof-of-concept exploit on GitHub, significantly increasing the risk of widespread attacks. 

The Shadowserver Foundation reported that 798 instances remained vulnerable as of May 19, down from 940 on May 16.

This marks another security incident for Ivanti, following multiple vulnerabilities in their products earlier this year. 

In January, threat actors exploited zero-day flaws in Ivanti Connect Secure VPN devices, while in March, CISA added three critical Ivanti Endpoint Management vulnerabilities to the KEV catalog. 

A separate critical vulnerability (CVE-2025-22457) affecting Ivanti Connect Secure was added to the KEV catalog in April after Chinese state-sponsored actors exploited it in cyber espionage campaigns.

CVEsAffected ProductsImpactExploit PrerequisitesCVSS 3.1 ScoreCVE-2025-4427 Ivanti EPMM ≤12.5.0.0 (on-premises deployments)Authentication bypass via API, enabling access to protected resourcesNetwork access to EPMM API endpoints5.3 (Medium)CVE-2025-4428Ivanti EPMM ≤12.5.0.0 (on-premises deployments)Authenticated RCE via code injection in API requestsNetwork access to EPMM API endpoints Authentication (bypassed via CVE-2025-4427)7.2 (High)

Patched Versions

Organizations using Ivanti EPMM should immediately upgrade to patched versions: 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1. 

Alternatively, Ivanti recommends implementing API filtering via Portal ACLs or an external WAF to reduce risk. 

The company clarified that only on-premises EPMM instances are affected; Ivanti Neurons for MDM, Ivanti Sentry, and other products remain unimpacted.

CISA’s KEV catalog has grown substantially since its launch in November 2021, with 185 vulnerabilities added in 2024 alone, bringing the total to 1,238 software and hardware flaws considered high risk for cyberattacks. 

The catalog serves as a critical resource for vulnerability management prioritization across both public and private sectors.

Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar