Ivanti fixed two EPMM flaws exploited in limited attacks

Article thumbnail image

This post was originally published on Security Affairs. It can be found here.

Ivanti addressed two Endpoint Manager Mobile (EPMM) software vulnerabilities that have been exploited in limited attacks.

Ivanti has released security updates to address two vulnerabilities in Endpoint Manager Mobile (EPMM) software. The company confirmed that threat actors have chained the flaws in limited attacks to gain remote code execution.

The two vulnerabilities are tracked as CVE-2025-4427 and CVE-2025-4428, below are their description:

  • CVE-2025-4427 (CVSS score: 5.3) – An authentication bypass in Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials. 
  • CVE-2025-4428 (CVSS score: 7.2) – A remote code execution vulnerability in Endpoint Manager Mobile allowing attackers to execute arbitrary code on the target system. 

CERT-EU reported both vulnerabilities to the software firm.

The company confirmed that threat actors could chain the two vulnerabilities to achieve remote code execution without authentication.

“Ivantii has released updates for Endpoint Manager Mobile (EPMM) which addresses one medium and one high severity vulnerability. When chained together, successful exploitation could lead to unauthenticated remote code execution.” reads the advisory. “We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure.”

Below is the list of the impacted software versions:

The vulnerabilities have been addressed with versions 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1.  

The vulnerabilities affect two unnamed open-source libraries used in EPMM, the company pointed out that they don’t reside in their code.

The company is still investigating the attacks, however, it does not have “reliable atomic indicators” at the time of this writing.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, EPMM)

This post was originally published on this site

Forum Search

Partners & Sponsors
  • University of Baltimore
  • Towson University
  • Bureau of Justice Assistance
  • National Science Foundation
LATEST FORUM POSTS
Test post2

Test Post2

By Demo User12, 1 year ago

Finding internships

Hello, Has anyone here secured any forensic related internships for 2024? I'm collecting some data and wanted to know what...

By AP Malla, 1 year ago

Beginner network forensic investigation

How should I approach network forensic? Would you recommend learning tools like WireShark?

By AP Malla, 1 year ago

Cyber Forensic Employment: High level guidelines

Understand the Basics: Know the Field: Cyber forensics involves investigating digital crimes, analyzing electronic data, and recovering hidden, deleted, or...

By AP Malla, 1 year ago

LATEST POSTS