Remote code execution vulnerability in a popular mobile device management solution from Ivanti has been exploited in the wild in limited attacks

CVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.

Active exploitation has been observed by Ivanti and when chained together, these 2 CVEs can be abused for RCE 

Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, versions prior to 11.12.0.5 or 12.3.x prior to 12.3.0.2 or 12.4.x prior to 12.4.0.2 or 12.5.x prior to 12.5.0.1 suffer from an authentication bypass vulnerability, allowing unauthorized users to access restricted functionality or resources of the application without proper authentication.

The version of Ivanti Endpoint Manager Mobile, formerly MobileIron Core, running on the remote host is 12.5.0.x prior to 12.5.0.1, 12.4.0.x prior to 12.4.0.2, 12.3.0.x prior to 12.3.0.2, or 11.x prior to 11.12.0.5. It is, therefore, affected by multiple vulnerabilities:

  - An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers     to access protected resources without proper credentials via the API. (CVE-2025-4427)

  - Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified     platforms allows authenticated attackers to execute arbitrary code via crafted API requests. (CVE-2025-4428)

Note that Nessus has not tested for these issues but has instead relied only on the service's self-reported version number.

ID	Name	Product	Family	Severity
114794	Ivanti Endpoint Manager Mobile < 11.12.0.5 / < 12.3.0.2 / < 12.4.0.2 / < 12.5.0.1 Authentication Bypass	Web App Scanning	Component Vulnerability	high
235860	Ivanti Endpoint Manager Mobile 12.5.0.x < 12.5.0.1 / 12.4.0.x < 12.4.0.2 / 12.x < 12.3.0.2 / 11.x < 11.12.0.5 Multiple Vulnerabilities	Nessus	Misc.	high

Detections

Analytics

CVE-2025-4427

high

Tenable Plugins

high

high