Ivanti Endpoint Mobile Manager users victimized through combined weaknesses exploitation
In a recent development, two vulnerabilities - CVE-2025-4427 and CVE-2025-4428 - have been discovered in Ivanti's Endpoint Mobile Manager (EPMM) software, causing concern among cybersecurity experts.
The core issue appears to be linked to an insecure implementation of the Hibernate Validator open-source library within the Ivanti product. This is consistent with previous known vulnerabilities, such as CVE-2025-35036, suggesting it is not an inherent flaw within Hibernate Validator, but rather how it is used or integrated by Ivanti.
The vulnerability specifically affects the API components of Ivanti EPMM, and there is mention of code injection vulnerabilities related to this, further indicating issues with how Ivanti implements input validation or code handling, likely involving Hibernate Validator misuse or insecure integration.
While no direct evidence suggests the vulnerability is solely due to a defect in the third-party Hibernate Validator library, the problem seems to be better described as an insecure implementation or misuse of Hibernate Validator by Ivanti within their EPMM product.
When chained together, an unauthenticated attacker could reach a web API endpoint to inject server-side template patterns and exploit the high-severity flaw. As of Sunday, 798 instances of CVE-2025-4427 were unpatched and considered vulnerable, down from 940 instances on Thursday.
Security researchers have raised questions about whether the issue should be legitimately blamed on a third-party library vulnerability, with some claiming Ivanti misused a known dangerous function in the hibernate-validator library. However, it's unclear which open-source libraries Ivanti is citing as the root cause of the flaw.
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-4427 and CVE-2025-4428 to its Known Exploited Vulnerabilities catalog, indicating the seriousness of the situation. Ivanti is working with security partners and maintainers of the affected libraries to determine whether additional CVEs are warranted.
Ivanti is urging customers to immediately upgrade to a fixed version of the software, and Rapid7 has tested proof-of-concept exploits and confirmed they work, but has not yet seen any confirmed exploitation in customer environments.
As of the current update, a spokesperson for Ivanti was not immediately available for comment. The editor's note mentions that this story has been updated to include the fact that CISA added the vulnerabilities to its Known Exploited Vulnerabilities catalog.
[1] Source: Rapid7 Research Blog, "CVE-2025-4427 and CVE-2025-4428 in Ivanti EPMM: What You Need to Know" [2] Source: watchTower Research, "In-Depth Analysis of CVE-2025-4427 and CVE-2025-4428 in Ivanti EPMM" [4] Source: CERT-EU, "Advisory for CVE-2025-4427 and CVE-2025-4428 in Ivanti EPMM"
The recent discovery of vulnerabilities in Ivanti's Endpoint Mobile Manager (EPMM) software, CVE-2025-4427 and CVE-2025-4428, raises concerns about the cybersecurity of data-and-cloud-computing systems. The vulnerability, thought to be linked to an insecure implementation of the Hibernate Validator open-source library, underscores the importance of technology companies ensuring secure integrations to prevent cybersecurity risks.
