- The new research indicates the faults used in targets against cloud instances
- The faults have already been found in on -site attacks
- Ivanti has published a patch, then apply it now
Two bugs affecting Ivanti’s final point manager (EPMM), who were discovered and corrected in mid-May, are still abused in real attacks. In fact, they are also targeting cloud instances.
It is according to researchers in Wiz cybersecurity, who recently published a new report, detailing the new results.
“WIZ research has observed continuous exploitation of these vulnerabilities in targeting exposed and vulnerable EPMM instances in cloud environments since May 16, 2025, coinciding with POC’s publication by several sources, including Watchtowr and ProjectdisCobevery,” said researchers in their report.
Cisa added faults to Kev
The bugs in question are an authentication bypass and a defect in post-authentication remote code (RCE). They are followed as CVE-2025-4427 and CVE-2025-4428, and none has received a critical gravity score. “Although no vulnerabilities have been attributed to critical gravity, in combination, they should certainly be treated as criticism,” added Wiz.
Ivanti approached the vulnerabilities of a patch published in mid-May this year and warned, in a security notice, ongoing attacks.
“We are aware of a very limited number of customers whose solution was used at the time of disclosure,” said society at the time. To solve the problem, users must install Ivanti Endpoint Mobile Manager 11.12.0.5, 12.3.0.2, 12.4.0.2 or 12.5.0.1.
Initially, Ivanti thought that the problem only affected EPMM products on Prém. “It is not present in Ivanti neurons for MDM, the solution for managing unified termination points based on the Cloud of Ivanti, Ivanti Sentry or any other Ivanti product,” said the company. “We urge all customers using the EPMM product on Prém to quickly install the fix.”
Meanwhile, the CISA has added the two bugs to its known exploited vulnerabilities (KEV), giving the federal agencies of the Civil Executive Directorate (FCEB) a deadline to be repaired. No threat actor has claimed the responsibility of any of the attacks so far.
Via The register
