Ivanti patches two EPMM flaws exploited in the wild

IT software company Ivanti released emergency patches for its enterprise mobile device management (MDM) solution after learning of in-the-wild attacks exploiting two previously unknown vulnerabilities. The two flaws have moderate and high severity, but when combined in an exploit chain, they enable unauthenticated remote code execution on Ivanti Endpoint Manager Mobile (EPMM).

“We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” the company wrote in its advisory, crediting the European Commission’s CERT-EU with reporting the flaws. The Australian government’s Cyber Security Centre (ACSC) also issued a critical advisory aimed at large businesses, organizations, and government agencies.

Ivanti released EPMM versions 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1, which include fixes for the two vulnerabilities that are tracked as CVE-2025-4427 and CVE-2025-4428.

Flaws in third-party components

Ivanti notes that the vulnerabilities are located in two open-source libraries used in the product. Because the flaws have not yet been announced in the libraries themselves, the company decided not to name them for now but is working with their maintainers.

One of the flaws, CVE-2025-4428, is an arbitrary code execution issue, but because it requires authentication to exploit, it has only a 7.2 (high severity) score on the CVSS scale. The other vulnerability is an authentication bypass that provides unauthenticated attackers with access to protected resources and is rated only as medium severity with a score of 5.3.

However, the authentication bypass is exactly what’s needed to turn the impact of the first flaw from high to critical, because it enables its exploitation without authentication, removing the only limiting factor. This is a good example of why severity scores should not be the only criteria for prioritizing patches, but some lower severity flaws can be combined to achieve much more potent attacks.

Mitigation

If upgrading to the patched versions is not possible right away, Ivanti notes that filtering access to the API using either the built-in Portal ACLs functionality or an external WAF, can mitigate the attacks.

“While this is an effective mitigation, it could impact the functionality of your solution depending on your specific configurations,” the company said. “In particular integrations where IPs are difficult to determine or change often will be impacted, such as: Windows Device Registrations using Autopilot or Microsoft Device Compliance and Graph API integrations.”

Using the ACLs functionality instead of Portal ACLs is not recommended because it blocks all access by network IP ranges, instead of access to only specific functionality.

Customers on older versions can obtain and manually deploy an RPM file as a fix from the command line in privileged mode. But the company warns that it hasn’t been tested on older and unsupported versions and advises such customers upgrade to a supported software version as soon as possible.

Ivanti Sentry, a gateway that manages, encrypts, and secures traffic between mobile devices and back-end enterprise systems is not directly affected by these vulnerabilities. Because it is dependent on the EPMM appliance and its configuration, however, its security should be checked as well.

Ivanti does not currently have indicators of compromise to share that could help customers determine whether an exploit has occurred on their appliances.