Bundle - Security Advisory Ivanti Endpoint Manager Mobile (EPMM) May 2025 (CVE-2025-4427 and CVE-2025-4428)

Security Advisory Ivanti Endpoint Manager Mobile (EPMM) May 2025 (CVE-2025-4427 and CVE-2025-4428)

Created on 2025-05-14 06:25, updated on 2025-05-14 06:26, by Alexandre Dulaunoy

Description

Ivanti has released updates for Endpoint Manager Mobile (EPMM) which addresses one medium and one high severity vulnerability. When chained together, successful exploitation could lead to unauthenticated remote code execution.

We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure.

CVE Number	Description	CVSS Score (Severity)	CVSS Vector	CWE
CVE-2025-4427	An authentication bypass in Ivanti Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials.	5.3 (Medium)	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N	CWE-288
CVE-2025-4428	A remote code execution vulnerability in Ivanti Endpoint Manager Mobile allowing attackers to execute arbitrary code on the target system	7.2 (High)	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	CWE-94

Mitigation or Workaround

Customers can mitigate the threat by following best practice guidance of filtering access to the API using either the built in Portal ACLs functionality or an external WAF. You can find additional information on using the Portal ACLs functionality HERE.

The risk to customers is significantly reduced if they already filter access to the API using either the built in Portal ACLs functionality or an external WAF.
When reviewing or implementing additional API restrictions, please ensure you are using the “API Connection” type.
We do NOT recommend using the “ACLs” functionality, as it blocks all access by network ranges, not just access to specific functionality.
While this is an effective mitigation, it could impact the functionality of your solution depending on your specific configurations. In particular integrations where IPs are difficult to determine or change often will be impacted, such as:
Windows Device Registrations using Autopilot
Microsoft Device Compliance and Graph API integrations
Additionally, an RPM file can be provided if customers need an alternative option. Customers will need to open a Support Case to receive the RPM file. Here's a step-by-step guide to install the RPM file:
Use SSH to connect to the instance and log in to the system CLI as the admin user. The admin account is created during system installation.
Type enable and provide the corresponding system password (set during the system installation) to enter EXEC PRIVILEGED mode. You’ll notice the command line prompt changes from > to #.
- Run the command install rpm url https://hostname/pathtorpm to download and install the RPM file.
- Once the RPM installation is complete, type reload to restart the system. This will apply the update effectively.

The RPM file has been tested on supported versions of EPMM (versions 12.3, 12.4. and 12.5). The RPM may work on older versions, but Ivanti has not tested the mitigation on unsupported versions. We strongly recommend customers move to a supported version of the product.

Ref: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US

Vulnerabilities included in this bundle

Combined detection rules

Detection rules are retrieved from Rulezet.

Combined sightings

Author	Vulnerability	Source	Type	Date