Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE
Detects potential exploitation of a chained vulnerability attack targeting Ivanti EPMM 12.5.0.0. CVE-2025-4427 allows unauthenticated access to protected API endpoints via an authentication bypass, which can then be leveraged to trigger CVE-2025-4428 — a remote code execution vulnerability through template injection. This sequence enables unauthenticated remote code execution, significantly increasing the impact of exploitation.
Sigma rule (View on GitHub)
1title: Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE
2id: 41956f7c-7a6b-46d6-b6bb-da6eb2e83fbe
3status: experimental
4description: |
5 Detects potential exploitation of a chained vulnerability attack targeting Ivanti EPMM 12.5.0.0.
6 CVE-2025-4427 allows unauthenticated access to protected API endpoints via an authentication bypass,
7 which can then be leveraged to trigger CVE-2025-4428 — a remote code execution vulnerability through
8 template injection. This sequence enables unauthenticated remote code execution, significantly increasing
9 the impact of exploitation.
10references:
11 - https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/?123
12author: Swachchhanda Shrawan Poudel (Nextron Systems)
13date: 2025-05-20
14tags:
15 - attack.initial-access
16 - attack.t1190
17 - attack.execution
18 - attack.t1203
19 - cve.2025-4427
20 - cve.2025-4428
21 - detection.emerging-threats
22logsource:
23 category: webserver
24detection:
25 selection_uri:
26 cs-uri-stem|contains: '/mifs/rs/api/v2/featureusage'
27 cs-uri-query|contains: 'format='
28 selection_exploit_rce:
29 - cs-uri-query|contains|all:
30 - 'java.lang.Runtime'
31 - '.getMethod'
32 - 'getRuntime'
33 - '.exec('
34 - cs-uri-query|contains|all:
35 - 'java%2elang%2eRuntime' # java.lang.Runtime
36 - '%2egetMethod' # .getMethod
37 - '%2eexec%28' # .exec(
38 - cs-uri-query|contains:
39 - '%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%65%28%29' # java.lang.Runtime
40 - '%67%65%74%52%75%6e%74%69%6d%65' # getRuntime
41 - '%2e%65%78%65%63%28' # .exec(
42 selection_exploit_template_injection:
43 cs-uri-query|contains:
44 - '{7*7}'
45 - '%7B7*7%7D'
46 - '%7b7%2a7%7d'
47 condition: selection_uri and 1 of selection_exploit_*
48falsepositives:
49 - Unknown
50level: high
References
-
Keeping your ears to the ground and eyes wide open for the latest vulnerability news at watchTowr is a given. Despite rummaging through enterprise code looking for 0days on a daily basis, our interest was piqued this week when news of fresh vulnerabilities was announced in a close friend -
Read More
Related rules
- Suspicious CrushFTP Child Process
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
- DNS RCE CVE-2020-1350