- Ivanti has corrected two chained faults to set up RCE attacks
- A “limited number” of companies would have been compromised
- Only on -site products are affected
Ivanti has published a corrective for two vulnerabilities in its mobile manager Endpoint Manager (EPMM), which would have been chained in remote code execution attacks (RCE) in nature.
Vulnerabilities are followed under the name of CVE-2025-4427 and CVE-2025-4428. The first is an authentication bypass in the EPMM API, allowing threat actors to access protected resources. It was attributed to an average score of 5.3.
The latter is a RCE vulnerability exploited through malicious designed API requests. This received a high severity score (7.2 / 10).
Ivanti says he is seen having abused in the attacks: “When she is chained, a successful exploitation could lead to an unauthenticated execution of the remote code,” said the company in a security notice. “We are aware of a very limited number of customers whose solution was used at the time of disclosure.”
To solve the problem, users must install Ivanti Endpoint Mobile Manager 11.12.0.5, 12.3.0.2, 12.4.0.2 or 12.5.0.1.
“The problem only affects the EPMM product on Prém.” We urge all customers using the EPMM product on Prém to quickly install the fix. “
IVANTI EPMM software is a popular solution in different industries, including health care, education, logistics, manufacturing and government. According to the Shadowserver, there are currently hundreds of cases exposed, mainly in Germany (992), but with a significant number in the United States (418).
Those who cannot apply the fix for the moment can implement different circumvention solutions. Ivanti said that these users should follow the better practice advice or filter access to the API using the ACL integrated gate functionality, an external WAF. More details on using the ACL functionality of the portal can be found here.
Via Bleeping Compompute
