Ivanti just came up with an urgent security update to patch two newly found Ivanti EPMM vulnerabilities in its Endpoint Manager Mobile (EPMM) software. It was recently learned that the flaws were exploited in limited attacks, making way for threat actors to execute remote code execution (RCE).
Overview of Ivanti EPMM Vulnerabilities and Their Exploitation
The two critical issues identified are:
- CVE-2025-4427 (CVSS Score: 5.3) is an authentication bypass scam permitting attackers to obtain protected resources without legitimate credentials.
- CVE-2025-4428 (CVSS Score: 7.2) is a remote code execution flaw allowing attackers to run arbitrary code on selected systems.
These two flaws could be chained together into other attacks on the environments where they are effective.
Impacted Product Versions
The following EPMM versions are vulnerable:
- 11.12.0.4 and earlier resolved in 11.12.0.5
- Resolved in 12.3.0.2 from 12.3.0.1 and earlier
- 12.4.0.1 and earlier fixed in 12.4.0.2
- Fixed in 12.5.0.1 for 12.5.0.0 and earlier
Ivanti advises every user of these versions to update immediately to prevent possible compromise.
Ivanti’s Response and Mitigation Steps
The Ivanti EPMM Vulnerabilities were reported by CERT-EU, and Ivanti acknowledged that a small number of customers were affected at the time of disclosure.
The issues are linked to two open-source libraries integrated into EPMM, though Ivanti has not publicly named them. It’s unknown whether other programs utilizing these libraries might also be exposed.
Ivanti advises minimizing risk exposure with either an outside Web Application Firewall (WAF) or the Portal ACLs (Access Control Lists) included. Only the on-premises EPMM product is impacted by this problem.
Cloud-based products such as Ivanti Sentry and Ivanti Neurons for MDM are unaffected.
Additional Patch for Ivanti Neurons
Ivanti has also patched another critical vulnerability:
CVE-2025-22462 (CVSS Score: 9.8): An authentication bypass in Neurons for ITSM (on-premises version), letting remote attackers without credentials gain control of administrative access.
According to Ivanti, there is no evidence that this vulnerability is being used in the wild.
Final Thoughts and Recommendations
With zero-day vulnerabilities in Ivanti products catching the eye of threat actors lately, it’s essential for organizations to:
- Apply patches without delay
- Filter access via ACLs or WAF
- Monitor systems for unusual activity
Maintaining software updates and security advisories is essential to protecting your infrastructure from new threats.
Ahsan Ali is a technology blogger and the founder of Techzivo.com, a platform dedicated to delivering insightful and practical content for tech enthusiasts.He currently focuses on creating in-depth articles around cybersecurity, aiming to help readers stay safe and informed in the digital world. With a passion for emerging technologies, Ahsan plans to expand Techzivo’s coverage into other technology micro-niches such as AI, cloud computing, and digital privacy, offering valuable insights for a broader tech-savvy audience.