Ivanti Addresses Critical EPMM Zero-Day Vulnerabilities Exploited in Code Execution Attacks

Ivanti has alerted its clientele regarding critical security vulnerabilities identified in the Ivanti Endpoint Manager Mobile (EPMM) software, emphasizing the urgency of applying patches to mitigate risks associated with these flaws. These vulnerabilities have been linked to code execution attacks that could potentially allow unauthorized remote access to sensitive resources.

The vulnerabilities include one classified as medium severity, denoted as CVE-2025-4427, which entails an authentication bypass within the EPMM’s API component. This flaw enables malicious actors to gain access to protected resources on compromised devices. The second vulnerability, tracked as CVE-2025-4428, is of high severity and allows attackers to execute arbitrary code on targeted systems through specially crafted API requests.

In response to these vulnerabilities, Ivanti has released software updates for EPMM versions 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1. The company acknowledges that while exploitation of these vulnerabilities appears to have occurred in a limited number of cases at the time of disclosure, elevated caution and immediate action are necessary. It is important for customers to engage with the Ivanti support team for additional guidance, especially as the investigation continues.

Ivanti representatives noted that these vulnerabilities are associated with certain open-source libraries utilized by EPMM; however, specifics regarding these libraries have not been disclosed. It is important to clarify that these issues are confined to the on-premise EPMM product and do not affect other Ivanti solutions such as Ivanti Neurons for MDM or Ivanti Sentry.

Current monitoring by the Shadowserver threat intelligence platform indicates a significant number of exposed EPMM instances globally, particularly in Germany and the United States, posing a substantial risk to organizations relying on this software.

Furthermore, Ivanti has announced additional security updates addressing a critical authentication bypass vulnerability (CVE-2025-22462) within its Neurons for ITSM IT service management solution, which also requires immediate remediation. The company encourages users to rectify a default credentials vulnerability (CVE-2025-22460) in its Cloud Services Appliance, which could allow local attackers to escalate privileges.

In recent years, numerous vulnerabilities within Ivanti’s offerings have come under scrutiny due to active exploitation in the wild, highlighting the imperative for organizations to maintain vigilant security practices and ensure that all systems are updated promptly to protect against potential threats. Both the FBI and CISA have released advisories indicating ongoing exploitation of pre-existing Ivanti vulnerabilities, stressing the necessity of rapid patching and system hardening.