Remote Code Execution Vulnerability in Ivanti Endpoint Manager Mobile
CVE-2025-4428
Key Information:
- Vendor
Ivanti
- Status
- Vendor
- CVE Published:
- 13 May 2025
Badges
What is CVE-2025-4428?
CVE-2025-4428 is a critical remote code execution vulnerability found within the Ivanti Endpoint Manager Mobile (EPMM), specifically affecting version 12.5.0.0 and earlier. Ivanti Endpoint Manager Mobile is designed to facilitate device management and security for mobile endpoints in an organizational context, enabling IT teams to secure, monitor, and manage mobile devices. This vulnerability allows authenticated attackers to exploit the API component of EPMM by sending specially crafted API requests, potentially leading to the execution of arbitrary code on the affected systems. The nature of this vulnerability could severely undermine an organization’s security posture, exposing sensitive data and facilitating unauthorized control of mobile device management functions.
Potential impact of CVE-2025-4428
-
Arbitrary Code Execution: The most immediate risk posed by this vulnerability is the ability for authenticated attackers to execute arbitrary code. This can lead to a range of malicious actions, including the installation of malware, data exfiltration, or deploying further attacks within the enterprise network.
-
Data Breach Risks: Given that Ivanti Endpoint Manager Mobile is used to manage sensitive mobile device data, exploiting this vulnerability could lead to significant data breaches where sensitive corporate and personal information may be accessed or leaked.
-
Compromise of Network Security: An exploit could not only provide access to the targeted device but also serve as a foothold into larger network infrastructures. This could result in broader compromises, allowing attackers to escalate privileges, move laterally within the network, and impact additional systems and services.
CISA has reported CVE-2025-4428
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-4428 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Endpoint Manager Mobile 12.5.0.1
News Articles

Risky Bulletin: Authorities and security firms take down DanaBot and Lumma Stealer - Risky Business Media
A coalition of law enforcement agencies and cybersecurity firms have dealt two major blows to the cybercrime ecosystem this week by taking [Read More]
2 weeks ago
Ivanti EPMM flaw exploited by Chinese hackers to breach govt agencies
Chinese hackers have been exploiting a remote code execution flaw in Ivanti Endpoint Manager Mobile (EPMM) to breach high-profile organizations worldwide.
2 weeks ago
Ivanti EPMM Exploitation Tied to Older Zero-Day Attacks
Wiz researchers found an opportunistic threat actor has been targeting vulnerable edge devices, including Ivanti VPNs and Palo Alto Networks firewalls.
2 weeks ago
References
EPSS Score
38% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 💰
Used in Ransomware
- 📈
Vulnerability started trending
- 👾
Exploit known to exist
- 🦅
CISA Reported
- 📰
First article discovered
Vulnerability published
Vulnerability Reserved