Cyber Resilience

CVE-2025-4428

HighCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 13 May 2025

Published
13 May 2025
Modified
24 October 2025
KEV Added
19 May 2025
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4098 97.5th percentile
Risk Priority 59 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-4428 is a high-severity Code Injection (CWE-94) vulnerability in Ivanti Endpoint Manager Mobile. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 2.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-4428 is a remote code execution vulnerability in the API component of Ivanti Endpoint Manager Mobile (EPMM) versions 12.5.0.0 and earlier. The flaw, assigned CWE-94, permits code injection through specially crafted requests and carries a CVSS 3.1 score of 7.2 reflecting high impact on confidentiality, integrity, and availability when successfully exploited.

Authenticated attackers with administrative API access can send malicious requests that result in arbitrary code execution on the affected server. Because the attack requires valid high-privilege credentials and targets the network-accessible API, it is most relevant to insiders, compromised administrative accounts, or attackers who have already obtained such credentials.

Ivanti’s security advisory and the associated CISA entry direct customers to apply the vendor-supplied patches for EPMM and to review the hardening guidance published in the advisory. The vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. The EPSS score rose from low values to a peak of 0.6390 on 2025-12-18 before receding to the current 0.4098, indicating a clear post-disclosure increase in exploitation interest that warrants renewed attention.

EU & UK References

Vulnerability details

Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests.

CWE(s)
KEV Date Added
19 May 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ivanti
endpoint manager mobile
12.5.0.0 · ≤ 11.12.0.5 · 12.3.0.0 — 12.3.0.2 · 12.4.0.0 — 12.4.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of all inputs to the API endpoints, blocking the crafted requests that trigger arbitrary code generation under CWE-94.

prevent

Requires timely application of vendor patches to the Ivanti EMM Mobile API component, eliminating the RCE flaw already being exploited in the wild.

prevent

Restricts administrative API accounts to the minimum privileges needed, reducing the attack surface available to authenticated users who can otherwise send malicious requests.

References