External risk intelligence

Ivanti Endpoint Manager Mobile API Remote Code Execution Advisory.

CVE advisoryKnown Exploit

CVE-2025-4428

An API component flaw in Ivanti Endpoint Manager Mobile enables authenticated attackers to execute arbitrary code. This impacts affected systems and data, presenting a business risk of unauthorized control and potential compromise.

4Halo Surface Signal

Code Injection

Ivanti Endpoint Manager Mobile

before 11.12.0.512.3.0.0 to before 12.3.0.212.4.0.0 to before 12.4.0.212.5.0.0

External exposure likelihood

Halo Surface Signal score for CVE-2025-4428

Ivanti Endpoint Manager Mobile is a management appliance designed for enterprise device administration. Such solutions often include web-based APIs and management consoles that are frequently exposed to the internet or edge networks to facilitate remote device management and connectivity for mobile endpoints.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

The API component within Ivanti Endpoint Manager Mobile is susceptible to a flaw that allows authenticated attackers to execute arbitrary code. This occurs through the submission of specially crafted API requests. The potential business impact includes unauthorized code execution, leading to compromised systems and data.

  • API component in Ivanti Endpoint Manager Mobile
  • Flaw allows arbitrary code execution
  • Compromised systems and data

Attack Path

How an attacker could exploit the issue

An attacker with existing access can exploit this vulnerability through crafted API requests to the system's API component. This action allows for the execution of arbitrary code on the affected system. The result is unauthorized control over the system, potentially leading to data compromise or further malicious activity.

  • Requires authenticated access.
  • Attacker sends crafted API requests.
  • Results in arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

A remote code execution vulnerability exists in the API component of Ivanti Endpoint Manager Mobile. This allows authenticated attackers to execute arbitrary code by sending specially crafted API requests. The potential impact includes unauthorized access and control over affected systems, leading to data compromise or disruption of business operations.

  • Attackers with authenticated access.
  • Exploitation requires network access.
  • Treat as urgent due to high risk.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

An authenticated attacker can execute arbitrary code on Ivanti Endpoint Manager Mobile systems by sending specially crafted API requests. This vulnerability impacts the confidentiality, integrity, and availability of systems and data by allowing an attacker to gain control and potentially exfiltrate sensitive information. The potential for remote code execution represents a significant business risk that requires immediate attention to mitigate.

  • Identify exposed Ivanti Endpoint Manager Mobile instances.
  • Restrict network access to affected systems.
  • Apply vendor patches and validate the fix.
  • Monitor for unusual activity.

Frequently asked questions

What is Ivanti Endpoint Manager Mobile and what is it used for?

Ivanti Endpoint Manager Mobile (EPMM) is a management appliance used for enterprise device administration, particularly for mobile endpoints. It often includes web-based APIs and management consoles to facilitate remote device management and connectivity.

What kind of weakness does CVE-2025-4428 represent?

CVE-2025-4428 represents a code injection weakness (CWE-94). This type of vulnerability allows an attacker to inject and execute their own code on a system, leading to arbitrary code execution.

How can an attacker exploit CVE-2025-4428?

An attacker needs authenticated access to the Ivanti Endpoint Manager Mobile system. They can then exploit the vulnerability by sending specially crafted API requests to the system's API component. Access to the network is required for exploitation.

Who should be concerned about this vulnerability?

Organizations using Ivanti Endpoint Manager Mobile should be concerned. This vulnerability is classified as external, meaning it can be targeted by attackers over the internet or edge networks, posing a significant risk.

What is the first step to address this threat?

The immediate first step is to identify any exposed Ivanti Endpoint Manager Mobile instances within your environment and restrict network access to affected systems. Applying vendor patches is also a critical action.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified