Ivanti Endpoint Manager Mobile SpEL Injection RCE
CVE-2025-4428 is a remote code execution vulnerability in the API component of Ivanti Endpoint Manager Mobile (EPMM) affecting version 12.5.0.0 and earlier. The available supporting content indicates the flaw is a Spring Expression Language (SpEL) injection in the format parameter of the /api/v2/featureusage endpoint family, allowing crafted API requests to be interpreted as executable expressions. Multiple sources in the content state that this issue was actively exploited in the wild in 2025. While one description characterizes the flaw as exploitable by an authenticated attacker, the broader supporting context consistently indicates that CVE-2025-4428 was commonly chained with CVE-2025-4427, an authentication bypass, to achieve unauthenticated remote code execution against internet-facing EPMM appliances.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).
This repository provides an operational exploit and detection tool for CVE-2025-4427 and CVE-2025-4428, targeting Ivanti Endpoint Manager Mobile (EPMM). The main exploit is implemented in 'CVE-2025-4428.py', a Python script that allows unauthenticated remote code execution by exploiting a Server-Side Template Injection (SSTI) vulnerability in a Java bean validator. The exploit works by sending a crafted HTTP GET request to vulnerable endpoints (such as '/api/v2/featureusage' and '/api/v2/featureusage_history') with a malicious 'format' parameter that triggers arbitrary command execution on the server. The script supports custom command execution, proxying, output redirection, and multi-shell support (bash/sh). The YAML file ('CVE-2025-4427.yaml') provides a nuclei-compatible detection template for automated scanning. The repository is well-structured, with clear documentation and operational exploit code, and is suitable for both detection and exploitation of the targeted vulnerabilities.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
147 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A previously exploited zero-day vulnerability affecting Ivanti EPMM, referenced as part of earlier attack campaigns against the product.
A vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that was exploited alongside CVE-2025-4427 to enable compromise of a U.S. utility, facilitating backend database data theft and credential replay for lateral movement.
An Ivanti EPMM vulnerability that can be chained with CVE-2025-4427 to execute arbitrary code; exploited by a China-nexus actor.
An Ivanti Endpoint Manager Mobile (EPMM) vulnerability exploited to deploy malware (details not provided in the snippet).
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.