Ivanti Endpoint Manager Mobile (EPMM) is a comprehensive enterprise Mobile Device Management (MDM) solutionthat helps organizations securely manage and protect mobile devices used by employees. Originally developed as MobileIron before being acquired by Ivanti in 2020, EPMM provides IT teams with centralized control over smartphones, tablets, and other mobile endpoints across both company-owned and employee-owned (BYOD) environments.
The platform offers robust device management capabilities, allowing administrators to enroll devices, push security policies, and remotely configure settings to ensure compliance with organizational standards. A key feature is its ability to create secure containers that separate corporate data and applications from personal content on employee devices. EPMM also includes advanced security protections like threat detection for compromised devices, automated compliance enforcement, and remote wipe capabilities for lost or stolen devices.
Two severe vulnerabilities, CVE-2025-4427 (Authentication Bypass) and CVE-2025-4428 (Remote Code Execution), have been discovered in the Ivanti EPMM platform. When exploited together, these flaws allow attackers to bypass authentication and execute arbitrary commands on affected systems, posing a significant risk to enterprise security.
The authentication bypass (CVE-2025-4427) allows attackers to access restricted API endpoints without credentials.
To understand authentication (auth) bypass, imagine a secure office building where employees need a keycard to enter. Now, suppose there’s a hidden side door that doesn’t check keycards. It just lets anyone walk right in. In Ivanti’s EPMM, researchers found that certain web requests, specifically to an API endpoint (like a digital “service desk” for devices), didn’t properly check if the person sending them was authorized. Normally, the system should ask, “Are you an admin?” before allowing access. But due to a misconfiguration, some requests slipped through without verification.
Once inside, another vulnerability (CVE-2025-4428) allows the attacker to execute arbitrary commands on the system. Additionally, the EPMM system had no warnings for such exploitation and does not log failed login attempts, enabling breaches to go unnoticed indefinitely.
Because EPMM controls company devices, a breach could spread to phones, tablets, and computers across the organization. The remote code execution flaw enables anyone to inject malicious Java payloads, leading to full system compromise.
To do this, attackers can exploit a flaw in how the system processes certain requests. By sending specially crafted commands using Java Expression Language (JEXL), they can trick the system into running any code they want on the command line. This would be like not only sneaking into that secure building, but also finding a master control panel that lets you reconfigure the entire security system to your advantage.
Attackers can deploy malware, exfiltrate data, or take control of managed devices-all without any authentication.
Using RidgeBot, we can automatically detect and warn users about the vulnerability while demonstrating the harmful effects it can have, as shown in the example below.
In today’s rapidly evolving threat landscape, exemplified by recent exploits like the Ivanti EPMM vulnerabilities, robust cybersecurity is not just an option. It’s a necessity. RidgeBot automated penetration testing is your essential defense, designed to uncover weaknesses and exposures across your digital assets.
RidgeBot significantly shortens the window of opportunity for attackers, transforming potential months of vulnerability into mere hours.
At its core, RidgeBot is powered by collective threat intelligence, deep vulnerability insights, and advanced AI-driven decision-making. This sophisticated engine allows RidgeBot to mimic the tactics of a real attacker, diligently identifying, exploiting, and documenting findings using advanced ethical hacking techniques.
RidgeBot not only detects attack vectors and confirms vulnerabilities but also provides actionable remediation steps-all before malicious actors have the chance to exploit them. This continuous, automated testing empowers your team to proactively strengthen your digital security posture. Designed for ease of use, RidgeBot is accessible to anyone with solid IT proficiency. It enables defenders to stay one step ahead of cybercrime, enhancing your overall resilience.
Ready to see how RidgeBot can enhance your defenses and help you outsmart cybercrime? Click here to get in touch.