DIVD-2025-00017 - Authentication Bypass and Remote Code Execution in Ivanti EPMM

Our reference DIVD-2025-00017
Case lead Stan Plasmeijer
Author Maarten van Norden
Researcher(s)
CVE(s)
Products
  • Ivanti Endpoint Manager Mobile (EPMM)
Versions
  • 11.12.0.4 and prior
  • 12.3.0.1 and prior
  • 12.4.0.1 and prior
  • 12.5.0.0 and prior
Recommendation Update to one of the following Ivanti Endpoint Manager Mobile (EPMM) versions 11.12.0.5, 12.3.0.2, 12.4.0.2 or 12.5.0.1
Patch status Fully patched
Workaround Users can mitigate the threat by filtering access to the API using either the built in Portal ACLs functionality of Ivanti EPMM or an external WAF
Status Open
Last modified 14 May 2025 12:31 CEST

Summary

Ivanti has resolved an authentication bypass (CVE-2025-4427) in EPMM, where only the on-premises instances are vulnerable. Abuse of the authentication bypass can be chained with a remote code execution vulnerability (CVE-2025-4428). Exploitation of these vulnerabilities has been observed in the wild. The following Ivanti EPMM versions are vulnerable: 11.12.0.4, 12.3.0.1, 12.4.0.1, 12.5.0.0 and prior versions.

Installing the following Ivanti EPMM versions will resolve the specified vulnerabilities: 11.12.0.5, 12.3.0.2, 12.4.0.2 or 12.5.0.1

Recommendations

Installing the following Ivanti EPMM versions will resolve the specified vulnerabilities: 11.12.0.5, 12.3.0.2, 12.4.0.2 or 12.5.0.1. If the implementation of these specified versions is not feasible, then there is a workaround available. In this situation users can mitigate the threat by filtering access to the API using either the built in Portal ACLs functionality of Ivanti EPMM or an external WAF. More information on the implementation of the workaround can be found at the Ivanti help portal

What we are doing

DIVD is currently working to identify parties that are running a vulnerable version of Ivanti EPMM and to notify these parties.

Timeline

Date Description
14 May 2025 DIVD starts researching the vulnerability.
14 May 2025 DIVD finds fingerprint, preparing to scan.
14 May 2025 Case opened and starting first scan.
14 May 2025 Notifications have been send out to vulnerable network owners.
gantt title DIVD-2025-00017 - Authentication Bypass and Remote Code Execution in Ivanti EPMM dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2025-00017 - Authentication Bypass and Remote Code Execution in Ivanti EPMM (still open) :2025-05-14, 2025-05-21 section Events DIVD starts researching the vulnerability. : milestone, 2025-05-14, 0d DIVD finds fingerprint, preparing to scan. : milestone, 2025-05-14, 0d Case opened and starting first scan. : milestone, 2025-05-14, 0d Notifications have been send out to vulnerable network owners. : milestone, 2025-05-14, 0d

More information