Ethical Hacking News
Ivanti's Endpoint Manager Mobile has been targeted by hackers exploiting two previously unknown vulnerabilities, allowing attackers to bypass authentication mechanisms and execute remote code on vulnerable deployments. The bug, which affects both on-premises and cloud-based systems, highlights the growing concern for cloud security and emphasizes the need for organizations to prioritize their cybersecurity posture.
The Ivanti Endpoint Manager Mobile (EPMM) software has been targeted by attackers exploiting two previously unknown vulnerabilities, CVE-2025-4427 and CVE-2025-4428. The bugs allow hackers to bypass authentication mechanisms and execute remote code on vulnerable deployments, giving them control over the compromised system. The attacks started since May 16, with attackers using malicious payloads, including a remote-control tool called Sliver, to deploy malware on compromised systems. The same IP address used by attackers is still in operation, suggesting that the same actor has been targeting both PAN-OS and Ivanti EPMM appliances. The vulnerabilities arise from improper request handling and unsafe use of Java Expression Language in error messages processed via Spring's AbstractMessageSource. Organizations using EPMM are advised to patch these vulnerabilities immediately, as they have been rated as critical due to their combined impact.
In recent weeks, a growing number of organizations have been targeted by attackers who have exploited two previously unknown vulnerabilities in Ivanti's Endpoint Manager Mobile (EPMM) software. The vulnerability, which has been dubbed as CVE-2025-4427 and CVE-2025-4428, allows hackers to bypass authentication mechanisms and execute remote code on vulnerable deployments, effectively giving them control over the compromised system.
The bugs were first discovered by security researchers at Wiz, who reported that they had observed ongoing exploitation of these vulnerabilities in-the-wild targeting exposed and vulnerable EPMM instances in cloud environments. According to the researchers, the attacks have been carried out since May 16, with attackers using malicious payloads, including a remote-control tool called Sliver, to deploy malware on compromised systems.
The Wiz team has also observed that the same IP address used by attackers to exploit these vulnerabilities is still in operation and its TLS certificate has not changed since November 2024. This continuity suggests that the same actor has been targeting both PAN-OS and Ivanti EPMM appliances.
The vulnerability, CVE-2025-4427, arises from improper request handling in EPMM's route configuration, which allows unauthenticated access to a RCE sink. On the other hand, CVE-2025-4428 is caused by the unsafe use of Java Expression Language in error messages processed via Spring's AbstractMessageSource, allowing attacker-controlled EL (Expression Language) injection.
The researchers have also identified multiple malicious payloads being deployed post-exploitation, including the Sliver code mentioned earlier. The Wiz team suggests that these bugs be treated as critical due to their combined impact, with the former receiving a CVSS severity score of 5.3 (medium) and the latter scoring a high of 7.2 (high).
In response to this growing threat, Ivanti has released patches for both vulnerabilities, which can be applied to affected deployments. However, it is essential for organizations using EPMM to take immediate action to patch these vulnerabilities before they can be exploited by attackers.
As cloud security continues to evolve and expand, it's becoming increasingly evident that the lack of secure coding practices and oversight in software development can have devastating consequences for businesses and individuals alike. In this case, a failure in secure code handling has allowed hackers to gain unauthorized access to organizations' endpoints, compromising sensitive data and increasing the risk of further attacks.
Moreover, the exploitation of vulnerabilities in cloud-based applications highlights the need for robust security measures that extend beyond on-premises environments. As more businesses move their operations to the cloud, it's essential for organizations to prioritize their cybersecurity posture by implementing regular vulnerability assessments, patching software promptly, and adopting a proactive approach to securing their cloud infrastructure.
In conclusion, the exploitation of vulnerabilities in Ivanti Endpoint Manager Mobile is a pressing concern that requires immediate attention from organizations using these applications. By understanding the scope of this threat and taking proactive measures to mitigate it, businesses can reduce the risk of attacks and protect their sensitive data.
Related Information:
https://www.ethicalhackingnews.com/articles/Ivanti-Endpoint-Manager-Mobile-Vulnerability-Exploitation-A-Growing-Concern-for-Cloud-Security-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/05/21/ivanti_rce_attacks_ongoing/
https://nvd.nist.gov/vuln/detail/CVE-2025-4427
https://www.cvedetails.com/cve/CVE-2025-4427/
https://nvd.nist.gov/vuln/detail/CVE-2025-4428
https://www.cvedetails.com/cve/CVE-2025-4428/
Published: Tue May 20 20:56:56 2025 by llama3.2 3B Q4_K_M
