May 28 Advisory: Ivanti EPMM Chained Exploits Added to CISA KEV [CVE-2025-4427-4428]

Rapid Response

Vulnerability Description

Two vulnerabilities, CVE-2025-4427 and CVE-2025-4428, have been identified in Ivanti Endpoint Manager Mobile (EPMM), with CVSS scores of 7.5 and 8.8, respectively.

  • CVE-2025-4427 is an authentication bypass in the API component.
  • CVE-2025-4428 is an authenticated remote code execution (RCE) vulnerability.

When chained, these flaws allow a remote attacker to bypass API authentication and execute arbitrary code as an authenticated user.

Threat Activity

CVE-2025-4427 and CVE-2025-4428 were both added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 19, 2025. 

Ivanti has confirmed the vulnerabilities are being actively exploited in the wild, stating: “We are aware of a very limited number of customers who have been exploited at the time of disclosure.” At the time of writing this advisory, Ivanti has not provided a reliable method to determine whether devices have been compromised.

WatchTowr labs published a detailed technical writeup on the vulnerabilities, and published proof of concept exploit code on GitHub. 

FieldDetails
CVE-IDCVE-2025-4427 – CVSS 7.5 (high) – assigned by NVD. CVE-2025-4428 – CVSS 8.8 (high) – assigned by NVD. 
Vulnerability DescriptionAn authentication bypass in Ivanti Endpoint Manager Mobile allows attackers to access protected resources without proper credentials.A remote code execution vulnerability in Ivanti Endpoint Manager Mobile allowing attackers to execute arbitrary code on the target system
Date of DisclosureMay 13, 2025
Date Reported as Actively ExploitedMay 19, 2025
Affected AssetsAPI Component of Ivanti EPMM. 
Vulnerable Software Versions 11.12.0.4 and prior 12.3.0.1 and prior 12.4.0.1 and prior 12.5.0.0 and prior 
PoC Available?WatchTowr published proof of concept exploit code for these vulnerabilities on GitHub. 
Exploitation StatusThese vulnerabilities are being actively exploited and were added to CISA KEV on May 19, 2025. 
Patch StatusThese vulnerabilities have been patched in the following versions: 

 11.12.0.5 12.3.0.2 12.4.0.2 12.5.0.1

 New releases can be downloaded from Ivanti’s Download Portal

At the time of writing, Censys observed 174 exposed Ivanti EPMM instances potentially vulnerable to this exploit chain. The majority of these are hosted in cloud environments, distributed across various providers with no single vendor standing out.

For the exposed instances, version data is available, though limited to major and minor versions. In some cases, this is enough to infer vulnerability, but in others, confirmation isn’t possible.

Below are the versions observed and their inferred vulnerability status:

Observed VersionVulnerability StatusHost Count
12.5Potentially. Patch was applied in 12.5.0.167
12.4Potentially. Patch was applied in 12.4.0.227
12.3Potentially. Patch was applied in 12.3.0.221
11.12Potentially. Patch was applied in 11.12.0.518
11.11Vulnerable15
12.1Vulnerable9
12.2Vulnerable8
11.10Vulnerable6
12.0Vulnerable3

The queries below can be used to find exposed instances of Ivanti EPMM, but they are not necessarily vulnerable to the exploits. 

Censys Platform Query:

host.services.software: (vendor: "Ivanti" and product: "Endpoint Manager Mobile") or web.software: (vendor: "Ivanti" and product: "Endpoint Manager Mobile")

Censys Legacy Search Query:

services.software: (vendor="Ivanti" and product="Endpoint Manager Mobile")

Censys ASM Query:

host.services.software: (vendor="Ivanti" and product="Endpoint Manager Mobile") or web_entity.instances.software: (vendor="Ivanti" and product="Endpoint Manager Mobile")

The query below can be used to find instances of Ivanti EPMM that are vulnerable to these exploits. 

Censys ASM Risk Query:

risks.name = "Vulnerable Ivanti Endpoint Manager Mobile [CVE-2025-4427 & CVE-2025-4428]"
epmm.png
Map of Exposed Ivanti EPMM Devices

References

Subscribe to our blog

Back to resource hub

US: +1-888-985-5547

Intl: +1-877-438-9159

connect@censys.com

Subscribe to our newsletter

Subscribe to our newsletter

Copyright © 2026 Censys  |  Data Retention Policy  |  Terms & Conditions  |  Privacy Policy