Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability (CVE-2025-4428)
Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute arbitrary code via crafted API requests. This vulnerability results from an insecure implementation of the Hibernate Validator open-source library, as represented by CVE-2025-35036.
A remote attacker, with administrative privileges, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. Federal agencies are required to remediate by 2025-06-09 under CISA BOD 22-01.
This is a Code Injection (CWE-94) vulnerability in Ivanti Endpoint Manager Mobile (EPMM). Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests. Exploitation requires remote network access, low attack complexity, an administrative account, and no user interaction required.
Probably yes if any of these apply:
CISA added this CVE to the Known Exploited Vulnerabilities catalog on 2025-05-19 based on evidence of active exploitation in the wild. Federal agencies required to remediate by 2025-06-09.
Manual remediation steps
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.