Home
Mapping Frameworks
Known Exploited Vulnerabilities Home
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability

Known Exploited Vulnerabilities CVE-2025-4428

Ivanti Endpoint Manager Mobile (EPMM) contains a code injection vulnerability in the API component that allows an authenticated attacker to remotely execute arbitrary code via crafted API requests. This vulnerability results from an insecure implementation of the Hibernate Validator open-source library, as represented by CVE-2025-35036.

Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
CVE-2025-4428	Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability	exploitation_technique	T1190	Exploit Public-Facing Application	Comments By itself, this exploit requires an authenticated user in order to carry it out. However, when chained with CVE-2025-4427, the attacker achieves unauthenticated remote code execution. References https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability
CVE-2025-4428	Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability	primary_impact	T1059	Command and Scripting Interpreter	Comments By itself, this exploit requires an authenticated user in order to carry it out. However, when chained with CVE-2025-4427, the attacker achieves unauthenticated remote code execution. References https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability
CVE-2025-4428	Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability	secondary_impact	T1543	Create or Modify System Process	Comments By itself, this exploit requires an authenticated user in order to carry it out. However, when chained with CVE-2025-4427, the attacker achieves unauthenticated remote code execution. References https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability