Cyber Resilience

CVE-2025-4427

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 13 May 2025

Published
13 May 2025
Modified
24 October 2025
KEV Added
19 May 2025
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.9126 99.7th percentile
Risk Priority 85 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-4427 is a medium-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Ivanti Endpoint Manager Mobile. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2025-4427 is an authentication bypass vulnerability in the API component of Ivanti Endpoint Manager Mobile versions 12.5.0.0 and prior. The flaw, tracked under CWE-288, carries a CVSS 3.1 base score of 5.3 and permits unauthorized access to protected resources over the network without requiring credentials.

Attackers with network access can exploit the issue anonymously to reach API endpoints that should be restricted, resulting in limited disclosure of sensitive information while leaving integrity and availability unaffected.

The vendor advisory published by Ivanti and the corresponding entry in CISA’s Known Exploited Vulnerabilities catalog outline mitigation steps, including application of available patches or configuration changes to address the authentication weakness.

The vulnerability appears on CISA’s actively exploited list, and its EPSS score has reached a peak of 0.9185 with a current value of 0.9126, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.

CWE(s)
KEV Date Added
19 May 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
endpoint manager mobile
12.5.0.0 · ≤ 11.12.0.5 · 12.3.0.0 — 12.3.0.2 · 12.4.0.0 — 12.4.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization decisions on API requests, blocking the exact bypass that allows unauthenticated access to protected resources.

prevent

Requires unique identification and authentication of users before granting access to the system, directly countering the credential-less API access flaw.

prevent

Enforces boundary protections and traffic filtering at network interfaces, limiting exposure of the vulnerable unauthenticated API endpoints.

References