Wiz Threat Research has confirmed active in-the-wild exploitation of a vulnerability chain in Ivanti Endpoint Manager Mobile (EPMM), comprising CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (post-auth RCE). Exploited together, these flaws enable unauthenticated remote code execution due to an unsafe use of Java Expression Language and a misconfigured Spring Security routing setup. Despite moderate individual CVSS scores, the chained vulnerabilities pose critical risk, and exploitation began shortly after their public disclosure on May 13, 2025, aided by the release of public PoCs. Affected versions include EPMM 11.12.0.4, 12.3.0.1, 12.4.0.1, 12.5.0.0 and earlier.
Attackers have used various techniques post-exploitation, including deployment of Sliver C2 beacons, MySQL database dumping, web shell placement disguised as error pages, and reverse shell execution via crafted EL payloads. Some attacks embedded malicious payloads in legitimate paths like 401.jsp and css.css, while others used stealthy, fileless reverse shell tactics. Infrastructure reuse and shared indicators tie the activity to threat actors previously seen targeting other appliances like PAN-OS.