Ethical Hacking News
Ivanti has issued a critical update to address two new zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) software, which can be exploited by attackers to gain remote code execution. The company urges customers to install the latest patch versions to mitigate the risks. Learn more about the vulnerability and how to protect your organization from this threat.
Ivanti has released security patches for its Endpoint Manager Mobile (EPMM) software to address two zero-day vulnerabilities. The first vulnerability, CVE-2025-4427, is an authentication bypass flaw that allows attackers to access protected resources on vulnerable devices. The second vulnerability, CVE-2025-4428, is a remote code execution (RCE) flaw that allows attackers to execute arbitrary code on targeted systems via maliciously crafted API requests. Ivanti has released updates for EPMM version 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1 to address both vulnerabilities. The FBI and CISA have warned about the exploitation of these vulnerabilities in a joint advisory issued in January. Shadowserver threat monitoring platform has identified hundreds of Ivanti EPMM instances exposed online, highlighting the need for organizations to regularly monitor their systems for signs of compromise.
Ivanti, a leading provider of endpoint management solutions, has recently issued security patches for its Endpoint Manager Mobile (EPMM) software in response to two newly discovered zero-day vulnerabilities that can be exploited by attackers to gain remote code execution. The vulnerabilities, tracked as CVE-2025-4427 and CVE-2025-4428, were identified by the company after a limited number of customers had already been targeted with malicious attacks.
The first vulnerability, CVE-2025-4427, is an authentication bypass flaw in EPMM's API component that allows attackers to access protected resources on vulnerable devices. This means that even if the device has a legitimate user account and password, an attacker can still use the exploit to gain unauthorized access to sensitive data or perform malicious actions.
The second vulnerability, CVE-2025-4428, is a remote code execution (RCE) flaw that allows attackers to execute arbitrary code on targeted systems via maliciously crafted API requests. This means that an attacker can send a specially crafted request to the EPMM server, which would then execute the malicious code on the target system, potentially allowing the attacker to install malware, steal data, or gain control over the device.
Ivanti has released updates for EPMM version 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1, which address both vulnerabilities. The company is urging all customers using the on-premises EPMM product to promptly install the patch to prevent exploitation.
In addition to the EPMM vulnerability, Ivanti has also released security updates for its Neurons for ITSM IT service management solution to address a critical authentication bypass vulnerability (CVE-2025-22462). This flaw allows unauthenticated attackers to gain administrative access to the system, which could be used to steal sensitive data or perform malicious actions.
Furthermore, Ivanti has also patched a default credentials flaw (CVE-2025-22460) in its Cloud Services Appliance (CSA), which allows local authenticated attackers to escalate privileges on vulnerable systems. This means that even if an attacker gains access to the CSA with valid login credentials, they can still use the exploit to gain elevated privileges and perform malicious actions.
The FBI and CISA have also warned about the exploitation of these vulnerabilities in a joint advisory issued in January. The agencies noted that threat actors are still exploiting months-old Ivanti Cloud Service Appliances (CSA) security vulnerabilities to breach vulnerable networks.
In recent years, multiple other security vulnerabilities have been exploited in zero-day attacks targeting Ivanti's VPN appliances and ICS, IPS, and ZTA gateways. This highlights the importance of keeping endpoint management software up-to-date with the latest security patches and regularly monitoring for suspicious activity on your network.
It is essential to note that both vulnerabilities are associated with two open-source libraries used by EPMM, but Ivanti did not disclose their names in the advisory. However, customers can mitigate these vulnerabilities by installing the latest patch versions of EPMM, as well as other affected Ivanti products.
Shadowserver threat monitoring platform currently tracks hundreds of Ivanti EPMM instances exposed online, with most located in Germany (992) and the United States (418). This highlights the need for organizations to regularly monitor their systems for signs of compromise and take swift action to patch vulnerabilities before they can be exploited by attackers.
In conclusion, the recently discovered zero-day vulnerabilities in Ivanti Endpoint Manager Mobile software highlight the importance of keeping endpoint management solutions up-to-date with the latest security patches. Organizations must prioritize vulnerability management and implement robust security controls to prevent exploitation of these newly disclosed flaws.
Related Information:
https://www.ethicalhackingnews.com/articles/Ivanti-Endpoint-Manager-Mobile-Vulnerability-Understanding-the-Threat-and-Mitigation-Strategies-ehn.shtml
https://www.bleepingcomputer.com/news/security/ivanti-fixes-epmm-zero-days-chained-in-code-execution-attacks/
https://www.helpnetsecurity.com/2025/05/13/ivanti-epmm-vulnerabilities-exploited-in-the-wild-cve-2025-4427-cve-2025-4428/
https://nvd.nist.gov/vuln/detail/CVE-2025-22460
https://www.cvedetails.com/cve/CVE-2025-22460/
https://nvd.nist.gov/vuln/detail/CVE-2025-22462
https://www.cvedetails.com/cve/CVE-2025-22462/
https://nvd.nist.gov/vuln/detail/CVE-2025-4427
https://www.cvedetails.com/cve/CVE-2025-4427/
https://nvd.nist.gov/vuln/detail/CVE-2025-4428
https://www.cvedetails.com/cve/CVE-2025-4428/
Published: Tue May 13 13:58:09 2025 by llama3.2 3B Q4_K_M
