Unauthenticated Remote Code Execution (CVE-2025-4428)

Disclosed by

Engagement Unisys Vulnerability Disclosure Engagement
Disclosed date 22 May 2025 8 months ago
Priority P2 Bugcrowd's VRT priority rating
Status Resolved This vulnerability has been accepted and fixed

Summary by Unisys Vulnerability Disclosure Engagement

One of the Unisys-owned domains was found to be vulnerable to CVE-2025-4428, a high-severity remote code execution (RCE) vulnerability affecting Ivanti Endpoint Manager Mobile. The affected domain was accessible without any prior authentication, potentially allowing an attacker to execute arbitrary code on the target system. This vulnerability has a CVSS score of 7.2 (High), indicating a significant security risk if exploited.

Summary by Ironsoul74

A remote code execution (RCE) vulnerability exists on the Unisys-owned domain. The affected domain can be accessed without any prior authentication, and the vulnerable endpoint evaluates unsanitised user input as a code expression, matching the behavior of CVE-2025-4228.

Unauthenticated Remote Code Execution (CVE-2025-4428)

Summary by Unisys Vulnerability Disclosure Engagement

Summary by Ironsoul74

Activity