The bottom line: Two critical Ivanti zero-days (CVE-2025-4427 and CVE-2025-4428) are now being actively exploited after a surge in scanning activity last month. Immediate patching is required.

Why It Matters

When chained together, these vulnerabilities enable unauthenticated remote code execution on Ivanti Endpoint Manager Mobile (EPMM) systems. In April, we warned about a 9x surge in scanning against Ivanti products — that reconnaissance has now transitioned to exploitation.

The Vulnerabilities

  • CVE-2025-4427 (CVSS: 5.3): Authentication bypass via improper validation sequence
  • CVE-2025-4428 (CVSS: 7.2): Remote code execution through Expression Language injection

How they work: The flaws target the /api/v2/featureusage and /api/v2/featureusage_history endpoints. Input validation occurs before authentication checks, allowing attackers to inject malicious code without credentials.

What We're Seeing

  • Small number of attempts to exploit CVE-2025-4427 from one IP address — 212.102.51.249 — on 2025-05-16 (~02:30 GMT), but only attacking our Ivanti sensors, so the attacks are unlikely to be random/opportunistic in nature
  • Pattern follows predicted reconnaissance → exploitation lifecycle
  • Activity tracked via our CVE-2025-4427 🏷️ 

Who Discovered It

Credit to Project Discovery and WatchTowr for their excellent technical analysis:

  • Project Discovery revealed validation precedes authorization in Spring MVC's workflow
  • WatchTowr provided detailed proof-of-concept exploits showing the order-of-operations issue

Affected Versions & Patches

Vulnerable:

  • 11.12.0.4 and earlier
  • 12.3.0.1, 12.4.0.1, 12.5.0.0

Patched:

  • 11.12.0.5, 12.3.0.2, 12.4.0.2, 12.5.0.1

Take Action Now

  1. Patch immediately to fixed versions
  2. Review logs for suspicious API activity
  3. Implement WAF rules if patching is delayed
  4. Hunt for IOCs focusing on unusual API access patterns

The Big Picture

This case demonstrates why monitoring scanning trends provides early warning of attacks. The exploitation activity is currently limited, but will likely accelerate as more threat actors incorporate these vulnerabilities into their toolkits.

Organizations with Portal ACLs or WAF restrictions have reduced exposure, but patching remains the only complete solution.

GreyNoise is developing an enhanced dynamic IP blocklist to help defenders take faster action on emerging threats. Click here to learn more or get on the waitlist.

667dd40ebb8095e89f275b0d_subscribe-graphic-left

This article is a summary of the full, in-depth version on the GreyNoise Labs blog.
Read the full report
GreyNoise Labs logo
Link to GreyNoise Twitter account
Link to GreyNoise Twitter account