Threat Research

Ivanti EPMM RCE Vulnerability Chain Exploited in the Wild | Wiz Blog

iocOne
Ivanti EPMM RCE Vulnerability Chain Exploited in the Wild | Wiz Blog

Ivanti Endpoint Manager Mobile (EPMM) is affected by two chained vulnerabilities (CVE-2025-4427 and CVE-2025-4428) that allow unauthenticated remote code execution. These flaws are being actively exploited in-the-wild, posing a critical risk despite their individual CVSS scores. #IvantiEPMM #RCE #Vulnerabilities #Cybersecurity

Keypoints

  • Two vulnerabilities—CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (post-auth remote code execution)—exist in Ivanti Endpoint Manager Mobile.
  • The vulnerabilities stem from unsafe Java Expression Language usage and improper route configuration, enabling chained unauthenticated RCE.
  • Multiple EPMM versions up to 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0 are affected.
  • Active exploitation has been observed since May 16th, 2025, involving deployment of malicious payloads including Sliver beacons.
  • A recurring threat actor appears to be using the same C2 infrastructure involved in previous PAN-OS exploits, indicating persistent targeting of network appliances.
  • Key IOCs include Sliver beacon SHA1 hashes and IP addresses such as 77.221.157.154 and 79.96.45.181.
  • Mitigation requires patching affected EPMM versions and applying network restrictions on critical API endpoints until patched.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The attackers exploited CVE-2025-4427 and CVE-2025-4428 on exposed Ivanti EPMM cloud instances to achieve remote code execution (‘…crafted format parameter in the /api/v2/featureusage endpoint results in arbitrary Java code execution…’).
  • [T1078] Valid Accounts – Exploitation bypasses authentication mechanisms due to misconfigured Spring Security routes (‘…routes like /rs/api/v2/featureusage were unintentionally exposed without requiring authentication…’).
  • [T1059] Command and Scripting Interpreter – Arbitrary Java code execution via Expression Language injection allowed command execution such as Runtime.exec() (‘…allows attacker-controlled EL injection resulting in arbitrary Java code execution…’).
  • [T1071] Application Layer Protocol – Deployment of Sliver beacons communicating with a C2 server over specific IP addresses (‘…a Sliver beacon using 77.221.157[.]154 as its C2 server…’).

Indicators of Compromise

  • [File Hashes] Sliver beacon payloads – SHA1: 1b1dda5e8e26da568559e0577769697c624df30e, ac389c8b7f3d2fcf4fd73891f881b12b8343665b
  • [IP Addresses] Command and control servers – 77.221.157.154, 79.96.45.181
  • [Domains] Likely threat infrastructure – elektrobohater.pl, wagodirect.pl, e-wago.pl

Read more: https://www.wiz.io/blog/ivanti-epmm-rce-vulnerability-chain-cve-2025-4427-cve-2025-4428

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint