Authentication Bypass in Ivanti Endpoint Manager Mobile API
CVE-2025-4427

7.5HIGH

Key Information:

Vendor

Ivanti
Status
Endpoint Manager Mobile
Vendor
CVE Published:
13 May 2025

Badges

๐Ÿฅ‡ Trended No. 1๐Ÿ“ˆ Trended๐Ÿ“ˆ Score: 4,140๐Ÿ’ฐ Ransomware๐Ÿ‘พ Exploit Exists๐ŸŸฃ EPSS 81%๐Ÿฆ… CISA Reported๐Ÿ“ฐ News Worthy

What is CVE-2025-4427?

CVE-2025-4427 is a significant security vulnerability found in the Ivanti Endpoint Manager Mobile (EPMM), specifically affecting version 12.5.0.0 and earlier. This vulnerability arises from an authentication bypass in the API component of EPMM, a tool used for managing mobile devices within enterprise environments. By exploiting this flaw, unauthorized attackers can gain access to protected resources through the API without the need for valid user credentials. The ability to bypass authentication poses a severe risk, as it undermines the security model of the application, potentially allowing malicious actors to retrieve, manipulate, or compromise sensitive data and systems within an organization.

Potential impact of CVE-2025-4427

  1. Unauthorized Data Access: This vulnerability allows attackers to access sensitive information that should be restricted, leading to potential data breaches and exposure of confidential resources.

  2. System Compromise: By circumventing authentication mechanisms, attackers could gain control over devices managed by EPMM, allowing them to install malware, exfiltrate data, or perform other malicious actions within the organization's network.

  3. Increased Risk of Ransomware Attacks: With the capability to access critical systems, there is a heightened risk that attackers could deploy ransomware or other forms of malware, leading to operational disruptions and considerable financial losses for affected organizations.

CISA has reported CVE-2025-4427

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-4427 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Endpoint Manager Mobile 12.5.0.1

News Articles

favicon imageCISA (.gov)

CISA Adds Six Known Exploited Vulnerabilities to Catalog | CISA

CISA has added six new vulnerabilities to itsโ€ฏKnown Exploited Vulnerabilities Catalog, based on evidence of active exploitation.ย  CVE-2025-4427(link is external) Ivanti Endpoint Manager Mobile (EPMM)...

favicon imageThe Hacker News

Chinese Hackers Exploit Ivanti EPMM Bugs in Global Enterprise Network Attacks

UNC5221 exploited Ivanti EPMM flaws CVE-2025-4427/4428 in global attacks starting May 15, 2025, enabling remote access and data theft

Ivanti EPMM Exploitation Tied to Older Zero-Day Attacks

Wiz researchers found an opportunistic threat actor has been targeting vulnerable edge devices, including Ivanti VPNs and Palo Alto Networks firewalls.

References

https://forums.ivanti.com/s/article/Security-Advisory-Iva...

EPSS Score

81% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐Ÿฅ‡

    Vulnerability reached the number 1 worldwide trending spot

  • ๐Ÿฆ…

    CISA Reported

  • ๐Ÿ“ˆ

    Vulnerability started trending

  • ๐Ÿ’ฐ

    Used in Ransomware

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿ“ฐ

    First article discovered

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-4427 : Authentication Bypass in Ivanti Endpoint Manager Mobile API