Ivanti EPMM Flaws Exploited in Active Attacks

Hackers exploited Ivanti EPMM flaws CVE-2025-4427/4428 for RCE. Users urged to patch as CISA flags vulnerabilities in active use.

Hackers have successfully breached a limited number of Ivanti Endpoint Mobile Manager users by chaining together medium and high-severity vulnerabilities in the suite of mobile device management software.

The vulnerabilities, tracked as CVE-2025-4427 and CVE-2025-4428, can allow an unauthenticated attacker to achieve remote code execution. Ivanti is urging customers to immediately upgrade to a fixed version of the software. 

The company also warned that the two vulnerabilities are linked to flaws in open-source libraries that are integrated into EPMM. Security researchers say those third-party flaws could have broader implications. 

Ivanti said it is working with security partners and with maintainers of the affected libraries to determine whether additional CVEs are warranted.

Also Read: Google I/O 2025: Biggest AI Updates and Surprises

There is some disagreement about the issue, however. Researchers at watchTowr raised questions about whether the issue should be legitimately blamed on a third-party library vulnerability. The researchers claim Ivanti misused a known dangerous function in the hibernate-validator library. 

Meanwhile, researchers at the Shadowserver Foundation reported 798 instances of CVE-2025-4427 were unpatched and considered vulnerable as of Sunday, down from 940 instances on Thursday.

The Cybersecurity and Infrastructure Security Agency (CISA) on Monday added CVE-2025-4427 and CVE-2025-4428 to its Known Exploited Vulnerabilities catalog.

The exploit chain involves linking CVE-2025-4427, an authentication bypass in EPMM that allows an attacker to gain access to protected resources without proper credentials, with CVE-2025-4428, a remote-code-execution flaw that allows an attacker to execute arbitrary code on a target system. 

Also Read: LlamaCon 2025 – Key Updates for Developers and the AI Ecosystem

The vulnerabilities have CVSS scores of 5.3 (medium severity) and 7.2 (high severity), respectively. When chained together, researchers at Rapid7 said, an unauthenticated attacker could reach a web API endpoint to inject server-side template patterns and exploit the high-severity flaw. 

Rapid7 has tested proof-of-concept exploits and confirmed they work, but has not yet seen any confirmed exploitation in customer environments, according to security researcher Ryan Emmons. 

Emmons added that it’s unclear which open-source libraries Ivanti is citing as the root cause of the flaw. A spokesperson for Ivanti was not immediately available for comment.

The security issues were first reported to Ivanti by CERT-EU, the Cybersecurity Service for the Union Institutions.