Recommended reading

Ivanti patches two zero-days that could lead to RCE in Endpoint Manager Mobile

News
By published

A patch and a workaround are available

A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
(Image credit: Shutterstock)
  • Ivanti patched two flaws being chained to mount RCE attacks
  • A "limited number" of companies were allegedly compromised
  • Only on-prem products are affected

Ivanti has released a patch for two vulnerabilities in its Endpoint Manager Mobile (EPMM) software, that’s allegedly being chained in remote code execution (RCE) attacks in the wild.

The vulnerabilities are tracked as CVE-2025-4427, and CVE-2025-4428. The former is an authentication bypass in EPMM’s API, allowing threat actors to access protected resources. It was assigned a medium-severity score of 5.3.

The latter is an RCE vulnerability exploited through maliciously crafted API requests. This one was given a high severity score (7.2/10).

Save up to 68% on identity theft protection for Techradar readers

Save up to 68% on identity theft protection for Techradar readers

TechRadar editors praise Aura's upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal.

Preferred partner (What does this mean?)

View Deal

Updating the tools

Ivanti says it’s seen it abused in attacks: "When chained together, successful exploitation could lead to unauthenticated remote code execution,” the company said in a security advisory. “We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure."

To address the issue, users should install Ivanti Endpoint Manager Mobile 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1.

"The issue only affects the on-prem EPMM product. It is not present in Ivanti Neurons for MDM, Ivanti's cloud-based unified endpoint management solution, Ivanti Sentry, or any other Ivanti products," the company further explained. "We urge all customers using the on-prem EPMM product to promptly install the patch."

Ivanti’s EPMM software is a popular solution across different industries, including healthcare, education, logistics, manufacturing, and government. According to The Shadowserver, there are hundreds of exposed instances at the moment, mostly in Germany (992), but with a significant number in the United States (418), as well.

Those that cannot apply the patch at this time can implement different workarounds. Ivanti said these users should follow best practice guidance or filtering access to the API using either the built-in Portal ACL’s functionality, or an external WAF. More details on using the portal’s ACL functionality can be found here.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.