Ivanti Patches EPMM Vulnerabilities Exploited for Remote Code Execution in Limited Attacks

Ivanti has released security updates to address two security flaws in Endpoint Manager Mobile (EPMM) software that have been chained in attacks to gain remote code execution.

The vulnerabilities in question are listed below –

• CVE-2025-4427 (CVSS score: 5.3) – An authentication bypass in Ivanti Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials
• CVE-2025-4428 (CVSS score: 7.2) – A remote code execution vulnerability in Ivanti Endpoint Manager Mobile allowing attackers to execute arbitrary code on the target system

The flaws impact the following versions of the product –

• 11.12.0.4 and prior (Fixed in 11.12.0.5)
• 12.3.0.1 and prior (Fixed in 12.3.0.2)
• 12.4.0.1 and prior (Fixed in 12.4.0.2)
• 12.5.0.0 and prior (Fixed in 12.5.0.1)

Ivanti, which credited CERT-EU for reporting the issues, said it’s “aware of a very limited number of customers who have been exploited at the time of disclosure” and that the vulnerabilities are “associated with two open-source libraries integrated into EPMM.”

The company, however, did not disclose the names of the impacted libraries. It’s also not known what other software applications relying on the two libraries could be affected. Furthermore, the company said it’s still investigating the cases, and that it does not have reliable indicators of compromise associated with the malicious activity.

“The risk to customers is significantly reduced if they already filter access to the API using either the built-in Portal ACLs functionality or an external web application firewall,” Ivanti noted.

“The issue only affects the on-prem EPMM product. It is not present in Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti Sentry, or any other Ivanti products.”

Separately, Ivanti has also shipped patches to contain an authentication bypass flaw in on-premise versions of Neurons for ITSM (CVE-2025-22462, CVSS score: 9.8) that could allow a remote unauthenticated attacker to gain administrative access to the system. There is no evidence that the security defect has been exploited in the wild.

With zero-days in Ivanti appliances becoming a lightning rod for threat actors in recent years, it’s imperative that users move quickly to update their instances to the latest versions for optimal protection.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Some parts of this article are sourced from:
thehackernews.com