Ivanti has issued an urgent patch advisory for two zero-day vulnerabilities (CVE-2025-4427 and CVE-2025-4428) affecting its Endpoint Manager Mobile (EPMM) software, which attackers have actively chained to achieve unauthenticated remote code execution. The vulnerabilities, rated CVSS 7.5 and 9.1 respectively, were discovered in May 2025 with limited exploitation observed in the wild[1]. Shadowserver Foundation scans identified 992 exposed EPMM instances in Germany and 418 in the U.S. as of patch release[1].
Technical Breakdown of the EPMM Exploit Chain
The attack begins with CVE-2025-4427, an authentication bypass in the EPMM API that allows unauthorized access to administrative functions. Successful exploitation enables attackers to leverage CVE-2025-4428, which permits remote code execution through specially crafted API requests. This follows a recurring pattern in Ivanti vulnerabilities, where authentication bypass flaws are paired with execution primitives, as seen in January 2025’s Cloud Service Appliance (CSA) exploits combining CVE-2024-8963 with CVE-2024-8190[2].
While full exploit details remain undisclosed, the attack methodology resembles historical Ivanti incidents like the 2023 Norwegian government breach, where CVE-2023-35078 (auth bypass) was chained with CVE-2023-35081 (arbitrary file write) to compromise Microsoft Exchange servers[4]. Recent DIVD scans in August 2025 found 3,825 vulnerable Ivanti Sentry devices, demonstrating persistent risks in unpatched systems[4].
Mitigation and Detection Guidance
Ivanti released patches for EPMM versions 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1. Organizations should prioritize these updates, particularly given the CVSS 9.1 rating of CVE-2025-4428. For legacy systems where immediate patching isn’t feasible, network segmentation and API request monitoring are recommended compensatory controls.
Detection teams should monitor for:
- Unusual API requests to EPMM administrative endpoints
- Process execution from web server contexts
- Unauthorized changes to system configurations
The following table summarizes critical vulnerability details:
| CVE | Type | CVSS | Patch Version |
|---|---|---|---|
| CVE-2025-4427 | Auth Bypass | 7.5 | 11.12.0.5+ |
| CVE-2025-4428 | RCE | 9.1 | 12.3.0.2+ |
Broader Ivanti Vulnerability Context
This incident continues a trend of high-severity Ivanti vulnerabilities, including March 2025’s Connect Secure zero-day (CVE-2025-0282) exploited by Chinese group UNC5221 to deploy the Resurge malware variant[3]. The recurring pattern underscores the importance of:
“Immediate patching for Ivanti products, particularly legacy systems like CSA 4.6 that remain vulnerable to known exploit chains”[2]
Organizations using multiple Ivanti products should implement cross-product monitoring, as attackers frequently pivot between EPMM, Connect Secure, and Sentry systems, as demonstrated in the Norwegian government attack path[4].
Conclusion
The EPMM vulnerabilities represent another critical security update for Ivanti administrators. With historical evidence showing rapid weaponization of similar flaws, organizations should treat this as a high-priority remediation effort. The chained exploitation technique emphasizes the need for comprehensive vulnerability management programs that address dependency risks and attack path analysis.
References
- “Ivanti fixes EPMM zero-days chained in code execution attacks”, BleepingComputer, May 2025.
- “CISA AA25-022A: Ivanti Cloud Service Appliance Exploits”, CISA, Jan. 2025.
- “CISA Analyzes Malware Used in Ivanti Connect Secure Zero-Day Attacks”, SecurityWeek, Mar. 2025.
- “Case Ivanti: Norwegian Government Hack Analysis”, DIVD, Aug. 2025.
