Critical security vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2025-4427 and CVE-2025-4428, are being actively exploited in the wild, prompting urgent calls for immediate patching and mitigation among enterprise users.
Vulnerabilities Overview
The two flaws, discovered in open-source libraries integrated into Ivanti’s on-premises EPMM product, present a dangerous attack chain when combined:
- CVE-2025-4427 is an authentication bypass vulnerability. It allows remote attackers to access protected resources via the EPMM API without providing valid credentials, effectively circumventing standard security controls.
- CVE-2025-4428 is a remote code execution (RCE) vulnerability. Authenticated attackers can exploit this flaw to execute arbitrary code on the target system, potentially leading to full system compromise.
When chained together, these vulnerabilities enable pre-authenticated remote code execution, allowing attackers to gain control over affected systems without prior access.
Exploitation and Impact
Ivanti has confirmed that attackers have exploited these vulnerabilities in a “very limited” number of customer environments, leveraging the flaws as zero-days before public disclosure.
The company, alongside CERT-EU-the cybersecurity service for European Union institutions flagged the vulnerabilities as particularly severe, especially for organizations managing sensitive or regulated data.
The vulnerabilities are exclusive to the on-premises version of Ivanti EPMM, a widely used mobile device management (MDM) and endpoint security solution for enterprises.
Cloud-hosted versions are not affected.
Detection and Proof-of-Concept
Security researchers, including those at watchTowr, have released detection tools capable of identifying vulnerable systems.
A screenshot of such a tool, “watchTowr-vs-Ivanti-EPMM-rce-chain.py,” demonstrates successful exploitation of the vulnerability chain, confirming a target system as “VULNERABLE” after executing a test command.
This underscores the ease with which attackers can automate exploitation if systems remain unpatched.
Mitigation and Response
Ivanti has released patched versions 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1-and is collaborating with security partners and law enforcement to contain the threat.
Customers unable to immediately upgrade are advised to apply workarounds, such as restricting API access through Portal ACLs or external web application firewalls (WAFs).
CERT-EU and other security bodies strongly recommend prompt patching, especially for Internet-facing EPMM deployments, to prevent further exploitation.
Ongoing Investigation
Ivanti’s investigation is ongoing, and the company has not yet released detailed indicators of compromise. Customers are encouraged to contact Ivanti Support for the latest guidance and to monitor official advisories for updates.
The discovery and exploitation of CVE-2025-4427 and CVE-2025-4428 in Ivanti EPMM underscore the critical importance of timely patch management and vigilant security monitoring for enterprise infrastructure.
With proof-of-concept exploits circulating and active attacks reported, swift action is essential to safeguard sensitive data and maintain operational integrity.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=Critical security vulnerabilities in Ivanti EPMM, tracked as CVE-2025-4427 and CVE-2025-4428, are being actively exploited in the wild){kind=link}