CVE-2025-4427

Analyzed
Published: 13 May 2025, 15:45
Last modified:21 Oct 2025, 22:55

Vulnerability Summary

Overall Risk (default)
high
58/100
CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
90.79% CRITICAL
91% probability -0.62%
KEV
Listed
CISA
1 listing
Ransomware
No reports
Public exploits
2 found
Dark Web
Not detected

Timeline

13 May 2025, 15:45
Published
Vulnerability first disclosed
19 May 2025, 00:00
Added to CISA KEV
Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability
09 Jun 2025, 00:00
CISA Remediation Due
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
21 Oct 2025, 22:55
Last Modified
Vulnerability information updated

Description

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.

CVSS Metrics

  • v3.1MEDIUMScore: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Trends

Current EPSS score: 90.79% Percentile: 100%

Techniques & Countermeasures

  • CWE-288Authentication Bypass Using an Alternate Path or Channel

    The product requires authentication, but the product has an alternate path or channel that does not require authentication.

Affected Systems

  • ivantiendpoint manager mobile

    < 11.12.0.5 | ≥ 12.3.0.0, < 12.3.0.2 | ≥ 12.4.0.0, < 12.4.0.2 | 12.5.0.0

References (2)