Ivanti EPMM vulnerabilities exploited in the wild (CVE-2025-4427, CVE-2025-4428)

Attackers have exploited vulnerabilities in open-source libraries to compromise on-prem Ivanti Endpoint Manager Mobile (EPMM) instances of a “very limited” number of customers, Ivanti has confirmed on Tuesday, and urged customers to install a patch as soon as possible.

“The investigation is ongoing and Ivanti does not have reliable atomic indicators [of compromise] at this time. Customers should reach out to our Support Team for guidance,” the company said.

CVE-2025-4427 and CVE-2025-4428

The exploited vulnerabilities are in two currently unnamed open-source libraries integrated into EPMM.

They didn’t have a CVE number when Ivanti reported them to the maintainers of the open-source libraries, but they have now:

• CVE-2025-4427 is an authentication bypass flaw that allows attackers to access protected resources without proper credentials
• CVE-2025-4428 is a remote code execution vulnerability that allows attackers to execute arbitrary code on the target system

The vulnerabilities have been flagged by CERT-EU, the cybersecurity service for the institutions, bodies, offices and agencies of the European Union, so it’s likely that they have been exploited as zero-days (i.e., vulnerabilities unknown to the libraries’ developers and without a patch) to breach some of those institutions.

Ivanti has released EPMM versions with fixes – 11.12.0.5, 12.3.0.2, 12.4.0.2 , 12.5.0.1 – and is “actively collaborating with security partners, the broader security community and law enforcement.” If vulnerable instances can’t be upgraded, Ivanti has laid out possible workarounds and mitigations.

The vulnerabilities affect only the on-prem EPMM product, which is a mobile device management (MDM) and endpoint security solution for enterprises.

Zero-day vulnerabilities affecting Ivanti EPMM are often leveraged by threat actors.

Patches for other Ivanti products

The company has also released security updates and patches for other Ivanti enterprise solutions, each fixing one vulnerability:

• CVE-2025-22462 is a critical authentication bypass flaw in the on-prem Ivanti Neurons for ITSM that could allow remote unauthenticated attackers to gain administrative access to the system
• CVE-2025-22460 stems from default credentials in Ivanti Cloud Services Application, which may allow a local authenticated attacker to escalate their privileges.
• An improper authorization vulnerability (without a CVE number) in the cloud-based Ivanti Neurons for MDM may allow a remote unauthenticated attacker to edit or delete resources.

These vulnerabilities have been reported by outside researchers and there is currently no indication that they are being leveraged in attacks.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!