Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE

Rule Info

Name
Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects potential exploitation of a chained vulnerability attack targeting Ivanti EPMM 12.5.0.0. CVE-2025-4427 allows unauthenticated access to protected API endpoints via an authentication bypass, which can then be leveraged to trigger CVE-2025-4428 — a remote code execution vulnerability through template injection. This sequence enables unauthenticated remote code execution, significantly increasing the impact of exploitation.
Reference
https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/?123
Date
2025-05-20 00:00:00
Modified
None
Id
41956f7c-7a6b-46d6-b6bb-da6eb2e83fbe
Tags
attack.initial-access attack.t1190 attack.execution attack.t1203 cve.2025-4427 cve.2025-4428 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=41956f7c-7a6b-46d6-b6bb-da6eb2e83fbe

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5427 from @swachchhanda000 - Add `Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE`
2025-05-21
b9e11ba20
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022