Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Ivanti Vulnerabilities: A Double-Edged Sword for Enterprise Security


Ivanti has patched two zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) product, as well as another critical vulnerability in Neurons for ITSM. The company is working to understand the impact of these vulnerabilities and encourage its customers to apply the patches to mitigate potential attacks.

  • Ivanti has issued patches for two zero-day vulnerabilities (CVE-2025-4427 and CVE-2025-4428) in its Endpoint Manager Mobile (EPMM) product.
  • The ASD has warned of the severity of these vulnerabilities, which can be chained together to exploit remote code execution (RCE) attacks.
  • The vulnerabilities are linked to mystery open-source libraries integrated into EPMM, and Ivanti is working with its security partners and library maintainers to determine if separate CVEs need to be assigned.
  • The ASD's advisory suggests that smaller companies may be less affected by these vulnerabilities, but Ivanti has made patches available for all four series of the software.
  • Ivanti recommends filtering access to the API using Portal ACLs functionality or an external WAF to mitigate the threat of chained attacks.
  • A critical vulnerability (CVE-2025-22462) in Neurons for ITSM has also been patched by Ivanti, allowing remote attackers to gain admin rights.
  • Implementing best practices such as securing IIS and restricting access can effectively reduce the risk of this bug.



    • Ivanti, a leading provider of endpoint management solutions, has recently issued patches for two zero-day vulnerabilities (CVE-2025-4427 and CVE-2025-4428) that have been chained together to exploit remote code execution (RCE) attacks. The Australian Signals Directorate (ASD), which serves as Australia's primary intelligence agency, has also issued a critical warning about these vulnerabilities, highlighting the severity of the situation.

    According to Ivanti, the two zero-days are linked to two mystery open-source libraries that are integrated into their Endpoint Manager Mobile (EPMM) product. The vendor is working closely with its security partners and the maintainers of the libraries to determine if separate CVEs need to be assigned for the libraries themselves. This collaboration is an effort to ensure the broader security ecosystem benefits from this cooperation.

    The ASD's advisory stated that the information was intended for large organizations and government entities, suggesting that the EPMM vulnerabilities are less likely to affect smaller companies. However, Ivanti has emphasized that all four series of the software (11.12.0.4 and earlier, 12.3.0.1 and earlier, 12.4.0.1 and earlier, and 12.5.0.0 and earlier) have patches available.

    To mitigate the threat of chained attacks, Ivanti recommends filtering access to the API using either Portal ACLs functionality or an external WAF. If customers are concerned about whether they are compromised or not, Ivanti urges them to contact its support team instead of providing indicators of compromise.

    The lack of reliable atomic indicators for these vulnerabilities might be due to the fact that the buggy code doesn't belong to Ivanti but rather is part of two unspecified open-source libraries integrated into EPMM. The vendor is actively engaged with the maintainers of the libraries to determine if a CVE against the libraries is warranted for the benefit of the broader security ecosystem.

    Another critical vulnerability, CVE-2025-22462 (9.8), affecting on-prem instances of Neurons for ITSM, has also been patched by Ivanti. This nearly maximum-severity bug allows remote attackers to give themselves admin rights and has not yet been exploited in the wild. However, patches are available now for affected versions (2023.4, 2024.2, and 2024.3).

    Ivanti has little to share in terms of mitigations for this bug, except for its previously espoused best practices. As long as customers secure their IIS website, restrict access to limited IP addresses and domains, and Neurons for ITSM is running in a demilitarized zone when authenticating remote workers, then their environments can be considered less at-risk.

    Provided these best practices are implemented, Ivanti said that customers can effectively consider this bug a 6.9 on the CVSS, instead of the near-maximum 9.8 it would be without proper configuration.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Ivanti-Vulnerabilities-A-Double-Edged-Sword-for-Enterprise-Security-ehn.shtml

  • https://go.theregister.com/feed/www.theregister.com/2025/05/14/ivanti_patches_two_zerodays_and/

  • https://www.msn.com/en-us/news/technology/ivanti-patches-two-zero-days-under-active-attack-as-intel-agency-warns-customers/ar-AA1EM8tv

  • https://www.securityweek.com/ivanti-patches-two-epmm-zero-days-exploited-to-hack-customers/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-4427

  • https://www.cvedetails.com/cve/CVE-2025-4427/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-4428

  • https://www.cvedetails.com/cve/CVE-2025-4428/

  • https://nvd.nist.gov/vuln/detail/CVE-2025-22462

  • https://www.cvedetails.com/cve/CVE-2025-22462/


    • Published: Wed May 14 12:03:39 2025 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us