Attackers Advance on Two New Ivanti EPMM Flaws

Just last month, CVE-2025-22457 (CVSS 9.8) affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways was recognized as a vector for ransomware. Now, two new CVEs have been added to the growing list of high-risk Ivanti vulnerabilities; CVE-2025-4427 and CVE-2025-4428 affecting Ivanti EPMM (Endpoint and Patch Management Mobile) are under active exploitation.

Greenbone includes active check and version detection tests addressing both new CVEs and many other flaws in Ivanti products, allowing users to identify vulnerable instances, proceed with the patch process and verify security compliance once patches have been applied. In this blog post we will review the technical details of both new CVEs and assess the role that Ivanti has played in the global cyber risk calculus.

Two New CVEs in Ivanti EPMM Combine for Unauthorized Access

At the time of disclosure, Ivanti admitted that on-premises EPMM customers had already been breached. However, cloud security firm Wiz claims that self-managed cloud instances have also been effectively exploited by attackers. A full technical description of the attack chain is publicly available, making exploit development easier for attackers and further increasing the risk.

Here is a brief summary of each CVE:

• CVE-2025-4427 (CVSS 5.3): An authentication bypass in the API component of Ivanti EPMM 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.
• CVE-2025-4428 (CVSS 7.2): Remote Code Execution (RCE) in the API component of Ivanti EPMM 12.5.0.0 and prior allows authenticated attackers to execute arbitrary code via crafted API requests.

Ivanti has released patches to remediate the flaws. Users should update EPMM to at least version 11.12.0.5, 12.3.0.2, 12.4.0.2 or 12.5.0.1. If immediate patching is not possible, Ivanti recommends restricting API access using either the built-in Portal ACLs (Access Control Lists with the “API Connection” type) or an external WAF (Web Application Firewall). Network-based ACLs are discouraged by the vendor, since they may block some EPMM functionality. While these mitigations reduce risk, they can impact functionality for certain EPMM integrations, such as Microsoft Autopilot and Graph API. Ivanti also offers an RPM file which can be used to patch EPMM via SSH command line access.

The Invanti EPMM Exploit Chain

The exploit chain in Ivanti EPMM begins with CVE-2025-4427. Due to an insecure configuration in the application’s security.xml file, certain endpoints (specifically /rs/api/v2/featureusage) partially process requests if the format parameter is provided. This pre-auth processing allowed unauthenticated requests to access functions that should be protected. This access control flaw caused by CVE-2025-4427 sets the stage for RCE via CVE-2025-4428.

CVE-2025-4428 allows RCE via an Expression Language (EL) injection via HTTP requests. If the format parameter supplied in a request is invalid as per the EPMM’s specification (neither “cve” or “json”), its value is appended to an error message without sanitization and logged via Spring Framework’s message templating engine. By supplying specially crafted values in the format parameter, attackers can execute arbitrary Java code because the logged message is evaluated as an EL formatted string.

Researchers have pointed out these risks associated with message templating engines are well documented and rebuked Ivanti’s claims that the vulnerability was due to a flaw in a third-party library, rather than their own oversight. Also, if the conditions leading to exploitation of CVE-2025-4428 sounds familiar, it is reminiscent of the infamous Log4Shell vulnerability. Like Log4Shell, CVE-2025-4428 results from passing unsanitized user input into an expression engine which will interpret special commands from a formatted string. In the case of Log4Shell, malicious string formatting in JNDI lookups (e.g., ${jndi:ldap://…}), could trigger RCE.

Risk Assessment: Attackers Advance on Ivanti Flaws

Ivanti has been in the hot seat for the past few years. Attackers have often exploited flaws in Ivanti’s products to gain initial access to their victim’s networks. Across all product lines, the vendor has been the subject of 61 Critical severity (CVSS >= 9.0) CVEs since the start of 2023. 30 of these have been added to CISA KEV (Known Exploited Vulnerabilities of the Cybersecurity and Infrastructure Security Agency), although the true tally of actively exploited flaws may be higher. Ivanti CVEs have a high conversion rate for use in ransomware attacks; CISA notes 8 CVEs in this category.

In early 2024, the European Commission, ENISA, CERT-EU and Europol issued a joint statement addressing active exploitation of Ivanti Connect Secure and Policy Secure Gateway products. In the US, CISA directed all federal civilian agencies to disconnect these products and assume they had been breached [1][2]. CISA, the FBI and cybersecurity agencies from the UK, Australia and Canada issued a joint advisory warning of ongoing exploitation. By late 2024, CISA had also alerted to active exploitation of Ivanti Cloud Service Appliances (CSA), warning that both state-sponsored and financially motivated threat actors were successfully targeting unpatched systems.

In 2025, on January 8th, CISA warned that newly disclosed CVE-2025-0282 and CVE-2025-0283 in Ivanti Connect Secure, Policy Secure and ZTA Gateways were also under active exploitation. Unfortunately, attackers continue to advance on new flaws in Ivanti’s products well into 2025 including CVE-2025-22457 [3][4] and now, two new CVEs in EPMM discussed above.

Dennis Kozak replaced Jeff Abbott as Ivanti’s CEO effective January 1, 2025 despite a mid-2024 pledge from Mr. Abbot for improved product security. No public statement was made linking the succession to the Utah company’s security challenges, however it happened with only a few weeks’ notice. Executives have not been called to testify before US congress as many other cybersecurity leaders have following high-risk incidents including Sudhakar Ramakrishna (CEO of SolarWinds), Brad Smith (President of Microsoft) and George Kurtz (CEO of CrowdStrike).

Echoes from EPMM’s Past: CVE-2023-35078 and CVE-2023-35082

In addition to the vortex of vulnerabilities discussed above, CVE-2023-35078 (CVSS 9.8) and CVE-2023-35082 (CVSS 9.8), disclosed in July and August 2023 respectively, also provided unauthenticated RCE for Ivanti EPMM. Public exploitation kicked off almost immediately after their disclosure in 2023.

CVE-2023-35078 was exploited to breach the Norwegian government, compromising data from twelve ministries [3][4]. CISA issued an urgent advisory (AA23-214A) citing confirmed exploitation by Advanced Persistent Threat (APT) actors and advising all federal agencies to take immediate mitigation steps. Even back in 2023, the speed and breadth of the attacks underscored Ivanti’s growing profile as a repeat offender, enabling espionage and financially motivated cybercrime.

Summary

Ivanti EPMM is susceptible to two new vulnerabilities; CVE-2025-4427 and CVE-2025-4428 can be combined for unauthorized remote code execution. Now under active exploitation, they underscore a troubling pattern of high-severity flaws in Ivanti products. Ivanti has released patches to remediate the flaws and users should update EPMM to at least version 11.12.0.5, 12.3.0.2, 12.4.0.2 or 12.5.0.1.

Greenbone’s vulnerability detection capabilities extend to include tests for CVE-2025-4427 and CVE-2025-4428 allowing Ivanti EPMM users to identify all vulnerable instances and verify security compliance once patches have been applied.