module
Ivanti EPMM Authentication Bypass for Expression Language Remote Code Execution
| Disclosed |
|---|
| May 13, 2025 |
Disclosed
May 13, 2025
Description
This module exploits an unauthenticated remote code execution exploit chain for Ivanti EPMM,
tracked as CVE-2025-4427 and CVE-2025-4428. An authentication flaw permits unauthenticated
access to an administrator web API endpoint, which allows for code execution via expression
language injection. This module executes in the context of the 'tomcat' user. This module
should also work on many versions of MobileIron Core (rebranded as Ivanti EPMM).
tracked as CVE-2025-4427 and CVE-2025-4428. An authentication flaw permits unauthenticated
access to an administrator web API endpoint, which allows for code execution via expression
language injection. This module executes in the context of the 'tomcat' user. This module
should also work on many versions of MobileIron Core (rebranded as Ivanti EPMM).
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.