CVE-2025-4427 | Attaxion

CISA Known Exploited Vulnerability (KEV)

Name

Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability

Exploit added

May 19, 2025

Action due

June 9, 2025

Action required

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.

References

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM

Weakness Enumeration

CWE-ID	CWE Name
CWE-288	Authentication Bypass Using an Alternate Path or Channel

Known Affected Software Configurations

cpe:2.3:a:ivanti:endpoint_manager_mobile:11.12.0.5:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:12.3.0.1:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:12.4.0.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:12.4.0.1:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:12.5.0.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:-:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.10.0.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.10.0.2:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.11.0.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.12.0.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.12.0.1:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.12.0.2:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.12.0.3:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.4.0.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.5.0.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.6.0.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.6.0.1:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.7.0.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.8.0.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.8.1.1:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.9.0.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.9.1.1:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:12.0.0.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:12.0.0.1:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:12.0.0.2:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:12.0.0.3:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:12.0.0.4:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:12.0.0.5:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:12.1.0.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:12.1.0.1:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:12.1.0.2:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:12.1.0.3:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:12.3.0.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.11.0.1:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.10.0.4:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.11.0.2:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.11.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.10.0.1:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.4.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.4.1.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.5.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.6.0.01:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.6.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.7.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.8.1.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.9.0.1:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.9.1.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.10.0.3:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.10.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.8.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.8.1.2:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.9.0:::::::*
cpe:2.3:a:ivanti:endpoint_manager_mobile:11.9.1.2:::::::*

Details

Source:
NVD

Published:
May 13, 2025

Updated:
May 21, 2025

Risk information

CVSS v3

Base score:
5.3

Severity:

MEDIUM

Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v2

Not defined