RCE in Ivanti Endpoint Manager Mobile API
CVE-2025-4428 is a remote code execution vulnerability in the API component of Ivanti Endpoint Manager Mobile (EPMM) affecting version 12.5.0.0 and earlier. The provided content describes it as a code injection flaw in the EPMM API, with multiple references indicating the issue is a Spring Expression Language (SpEL) injection in the format parameter of /api/v2/featureusage-related endpoints. Supporting context also attributes the weakness to an insecure Hibernate Validator implementation associated with CVE-2025-35036. On its own, the flaw requires authentication, but it was widely reported as being chained with CVE-2025-4427, an authentication bypass in the same product, to achieve unauthenticated remote code execution against internet-facing EPMM appliances.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository provides an operational exploit and detection tool for CVE-2025-4427 and CVE-2025-4428, targeting Ivanti Endpoint Manager Mobile (EPMM). The main exploit is implemented in 'CVE-2025-4428.py', a Python script that allows unauthenticated remote code execution by exploiting a Server-Side Template Injection (SSTI) vulnerability in a Java bean validator. The exploit works by sending a crafted HTTP GET request to vulnerable endpoints (such as '/api/v2/featureusage' and '/api/v2/featureusage_history') with a malicious 'format' parameter that triggers arbitrary command execution on the server. The script supports custom command execution, proxying, output redirection, and multi-shell support (bash/sh). The YAML file ('CVE-2025-4427.yaml') provides a nuclei-compatible detection template for automated scanning. The repository is well-structured, with clear documentation and operational exploit code, and is suitable for both detection and exploitation of the targeted vulnerabilities.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
156 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Code injection / RCE vulnerability in Ivanti EPMM API requiring authentication, typically exploited after CVE-2025-4427; tied to an insecure Hibernate Validator implementation.
A previously exploited zero-day vulnerability affecting Ivanti EPMM, referenced as part of earlier attack campaigns against the product.
A vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that was exploited alongside CVE-2025-4427 to enable compromise of a U.S. utility, facilitating backend database data theft and credential replay for lateral movement.
An Ivanti EPMM vulnerability that can be chained with CVE-2025-4427 to execute arbitrary code; exploited by a China-nexus actor.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.