CVE-2025-4428

This release adds targeting ThinManager vulnerabilities (CVE-2023-27855, CVE-2023-2917, CVE-2023-27856), a udev persistence module for Linux, an Ivanti EPMM authentication bypass and remote code execution module (CVE-2025-4427, CVE-2025-4428), PHP payload adapters, and more

Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data. References https://nvd.nist.gov/vuln/detail/CVE-2025-35036 https://github.com/hibernate/hibernate-validator/pull/1138 https://github.com/hibernate/hibernate-validator/commit/05f795bb7cf18856004f40e5042709e550ed0d6e https://github.com/hibernate/hibernate-validator/commit/254858d9dcc4e7cd775d1b0f47f482218077c5e1 https://github.com/hibernate/hibernate-validator/commit/d2db40b9e7d22c7a0b44d7665242dfc7b4d14d78 https://github.com/hibernate/hibernate-validator/commit/e076293b0ee1bfa97b6e67d05ad9eee1ad77e893 https://docs.jboss.org/hibernate/stable/validator/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext https://github.com/hibernate/hibernate-validator/compare/6.1.7.Final...6.2.0.Final https://hibernate.atlassian.net/browse/HV-1816 https://hibernate.org/validator/documentation/migration-guide/#6-2-0-cr1 https://in.relation.to/2021/01/06/hibernate-validator-700-62-final-released/#expression-language https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428 https://www.cve.org/CVERecord?id=CVE-2020-5245 https://www.cve.org/CVERecord?id=CVE-2025-4428 https://github.com/advisories/GHSA-7v6m-28jr-rg84

Meet the elite squad that’s hunting the next major cyberattack. With more than 150 years of combined research experience and expert analysis, the Tenable Research Special Operations team arms organizations with the critical and actionable intelligence necessary to proactively defend the modern attack surface. The digital battlefield is constantly shifting. It's no longer enough to just react. We need to anticipate. Massive data breaches leave consumers exposed to identity thieves, ransomware attacks cripple hospitals, and Nation State actors disrupt critical infrastructure. It's not just about vulnerable software anymore. In our hyper-connected world, from the smart devices in your home to the complex systems running our cities, everything is a potential target. The explosion of cloud services and AI is accelerating this risk, creating countless new windows for cybercriminals and hostile nations to exploit. From software and hardware vulnerabilities, to misconfigurations, compromised identities, overexposed and highly privileged environments, and publicly accessible databases, the threat landscape is everywhere, all at once. As of October 2024, over 240,000 Common Vulnerabilities and Exposures (CVEs) have been tracked through the MITRE CVE program, including many that have significantly impacted consumers, businesses and governments. The volume has historically been too much for security teams to keep up with. Beyond the sheer increase in the volume of traditional vulnerabilities, defenders are faced with an ever-expanding attack surface as enterprises have adopted remote work and new technologies like Generative AI that all contribute to increases in both the number and complexity of exposures that elevate the likelihood of business impacts.But what if there was a team dedicated to seeing these threats coming, understanding the tactics being used by adversaries, and sending early warning signals for what might come next?Introducing the Tenable...

A recently patched pair of security flaws affecting Ivanti Endpoint Manager Mobile (EPMM) software has been exploited by a China-nexus threat actor to target a wide range of sectors across Europe, North America, and the Asia-Pacific region. The vulnerabilities, tracked as CVE-2025-4427 (CVSS score: 5.3) and CVE-2025-4428 (CVSS score: 7.2), could be chained to execute arbitrary code on a

Executive Summary  On Thursday, May 15, 2025, Ivanti disclosed two critical vulnerabilities - CVE-2025-4427 and CVE-2025-4428 - affecting Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier. [1] These vulnerabilities can be chained to achieve unauthenticated remote code execution (RCE) on exposed systems.  

CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.  CVE-2025-4427 Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability CVE-2025-4428 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability CVE-2024-11182 MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability CVE-2025-27920 Srimax Output Messenger Directory Traversal Vulnerability CVE-2024-27443 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability CVE-2023-38950 ZKTeco BioTime Path Traversal Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.  Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.  Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

On May 13, 2025, Ivanti disclosed an exploited in the wild exploit chain, comprising of two new vulnerabilities affecting Ivanti Endpoint Manager Mobile: CVE-2025-4427 and CVE-2025-4428.

Two critical Ivanti zero-days (CVE-2025-4427 and CVE-2025-4428) are now being actively exploited after a surge in scanning activity last month. When chained together, these vulnerabilities enable unauthenticated remote code execution on Ivanti Endpoint Manager Mobile systems.

Introduction As security researchers, we all know that familiar dance when blackbox testing web apps and APIs. You poke an endpoint, get hit with "blah parameter is missing" or "blah is of the wrong type," and after satisfying every requirement, you're often met with the frustrating 401 or 403. That feeling of being so close, yet so far, is something we've all experienced. However, in a recent analysis of Ivanti EPMM's CVE-2025-4427 and CVE-2025-4428 , this very flow of execution – validation

Keeping your ears to the ground and eyes wide open for the latest vulnerability news at watchTowr is a given. Despite rummaging through enterprise code looking for 0days on a daily basis, our interest was piqued this week when news of fresh vulnerabilities was announced in a close friend -

On May 13, 2025, Ivanti released patches addressing multiple vulnerabilities across its products. The most severe issues include an unauthenticated remote code execution exploit chain affecting Ivanti Endpoint Manager Mobile (EPMM) and a critical authentication bypass vulnerability in Ivanti Neurons for IT Service Management (ITSM).  CVE-2025-4427 and CVE-2025-4428: These vulnerabilities affect EPMM and can be ... Ivanti Fixes Critical and Actively Exploited Vulnerabilities in May 2025 Update

Remote code execution vulnerability in a popular mobile device management solution from Ivanti has been exploited in the wild in limited attacksBackgroundOn May 13, Ivanti released a security advisory to address a high severity remote code execution (RCE) and a medium severity authentication bypass vulnerability in its Endpoint Manager Mobile (EPMM) product, a mobile management software that can be used for mobile device management (MDM), mobile application management (MAM) and mobile content management (MCM).CVEDescriptionCVSSv3CVE-2025-4427Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability5.3CVE-2025-4428Ivanti Endpoint Manager Mobile Remote Code Execution Vulnerability7.2AnalysisCVE-2025-4427 is an authentication bypass vulnerability in Ivanti’s EPMM. An unauthenticated, remote attacker could exploit this vulnerability to gain access to the server’s application programming interface (API) that is normally only accessible to authenticated users.CVE-2025-4428 is a RCE in Ivanti’s EPMM. An authenticated attacker could exploit this vulnerability to execute arbitrary code on a vulnerable device.An attacker that successfully exploits these flaws could chain them together to execute arbitrary code on a vulnerable device without authentication. Both vulnerabilities are associated with open source libraries used by the EPMM software. Ivanti has indicated that these vulnerabilities have been exploited in the wild in a limited number of cases.Customers that restrict API access via the Portal ACLs functionality or an external WAF have reduced exposure to these vulnerabilities.Ivanti has credited the CERT-EU with reporting these vulnerabilities.Proof of conceptAt the time this blog post was published, there was no public proof-of-concept available for CVE-2025-4427 or CVE-2025-4428.SolutionThe following table details the affected and fixed versions of Ivanti EPMM for both CVE-2025-4427 and CVE-2025-4428:Affected VersionFixed Version11.12.0.4 and...