Do Son 
Ivanti has issued a warning to its clients regarding two newly discovered vulnerabilities in its Ivanti Endpoint Manager Mobile (EPMM) software, which are already being actively exploited by threat actors to achieve remote code execution. These security flaws affect only on-premises deployments of EPMM and do not impact cloud-based solutions such as Ivanti Neurons for MDM.
The first vulnerability (CVE-2025-4427, CVSS: 5.3) enables attackers to bypass authentication within the system’s API component, granting unauthorized access to protected resources. The second flaw (CVE-2025-4428, CVSS: 7.2) allows for arbitrary code execution via specially crafted API requests. When used in tandem, these vulnerabilities can facilitate full system compromise without authentication.
Ivanti has released patches addressing both issues in versions EPMM 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1. The company confirmed that limited instances of successful exploitation had already been observed at the time of disclosure. However, specific indicators of compromise have not yet been made available, as the investigation remains ongoing. Customers are strongly encouraged to contact technical support for tailored mitigation guidance.
According to the Shadowserver platform, several hundred Ivanti EPMM instances currently exposed to the internet are at risk, with the highest concentrations found in Germany and the United States. This amplifies the severity of the situation, especially given Ivanti’s history of previous incidents—where threat actors exploited zero-day vulnerabilities in its VPN appliances and ICS, IPS, and ZTA gateways.
Simultaneously, Ivanti has resolved another critical vulnerability—CVE-2025-22462—in its Neurons for ITSM product. This flaw also allows authentication bypass and grants administrative access. Another issue, CVE-2025-22460, relates to the use of default credentials in the Cloud Services Appliance (CSA), potentially enabling local users to escalate privileges.
The broader context is further intensified by a joint advisory issued in January by the FBI and CISA, warning that attacks against vulnerable Ivanti products persist unabated despite the release of patches, continuing to pose a serious threat to infrastructures that have yet to implement the necessary protections.
Donate