CVE-2025-4427 Scanner

Ivanti Endpoint Manager Mobile (EPMM) is an enterprise-grade mobile device management solution widely used by organizations to manage and secure smartphones, tablets, and other mobile endpoints. Developed by Ivanti, it provides centralized control over device configuration, application deployment, and security enforcement across mobile fleets. It is commonly deployed in corporate and government networks to ensure mobile devices meet organizational compliance and security policies. The software integrates with backend infrastructure to maintain visibility and policy enforcement. EPMM is trusted for its remote control, reporting, and provisioning capabilities. The product is widely adopted in environments requiring scalable and secure mobile endpoint management.

The vulnerability affects Ivanti Endpoint Manager Mobile and allows unauthenticated users to bypass access controls and execute arbitrary code. This is made possible through a Server-Side Template Injection (SSTI) flaw present in the application's input handling. Due to an insecure validator implementation, user-controlled input is passed to a dangerous sink without adequate sanitization. The flaw exists in API endpoints that incorrectly handle the `format` parameter. By sending specially crafted payloads, attackers can exploit the vulnerability to execute operating system-level commands. The issue represents a critical flaw in how the product processes user input on the backend.

Technical analysis reveals that the `/api/v2/featureusage_history` and `/api/v2/featureusage` endpoints accept a `format` parameter that is directly passed into a Java bean validator. The validator improperly evaluates the string in a templating context, enabling attackers to inject and execute Java expressions. This flaw leads to the creation of an SSTI scenario that reaches `java.lang.Runtime`, enabling command execution. The payloads use method chaining and Java reflection to run `curl` commands, verifying exploitation via DNS callbacks. The vulnerability is accessible without authentication, increasing its risk. A successful exploit may result in full remote code execution.

If exploited, this vulnerability can allow attackers to fully compromise the system running Ivanti Endpoint Manager Mobile. Malicious actors could execute arbitrary system commands, leading to unauthorized access, data theft, system modification, or malware deployment. Depending on privileges, attackers might gain persistence on the server or move laterally within the network. This kind of unauthenticated RCE represents a significant security risk to enterprise environments. It can enable advanced persistent threats (APTs) and facilitate other attacks. Exploitation could lead to the shutdown of mobile management capabilities or exfiltration of sensitive configuration data.

REFERENCES

• https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM