Ivanti patches two zero-days that could lead to RCE in Endpoint Manager Mobile
- Ivanti patched two flaws being chained to mount RCE attacks
- A “limited number” of companies were allegedly compromised
- Only on-prem products are affected
Ivanti has released a patch for two vulnerabilities in its Endpoint Manager Mobile (EPMM) software, that’s allegedly being chained in remote code execution (RCE) attacks in the wild.
The vulnerabilities are tracked as CVE-2025-4427, and CVE-2025-4428. The former is an authentication bypass in EPMM’s API, allowing threat actors to access protected resources. It was assigned a medium-severity score of 5.3.
The latter is an RCE vulnerability exploited through maliciously crafted API requests. This one was given a high severity score (7.2/10).
Ivanti says it’s seen it abused in attacks: “When chained together, successful exploitation could lead to unauthenticated remote code execution,” the company said in a security advisory. “We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure.”
To address the issue, users should install Ivanti Endpoint Manager Mobile 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1.
“The issue only affects the on-prem EPMM product. It is not present in Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti Sentry, or any other Ivanti products,” the company further explained. “We urge all customers using the on-prem EPMM product to promptly install the patch.”
Ivanti’s EPMM software is a popular solution across different industries, including healthcare, education, logistics, manufacturing, and government. According to The Shadowserver, there are hundreds of exposed instances at the moment, mostly in Germany (992), but with a significant number in the United States (418), as well.
Those that cannot apply the patch at this time can implement different workarounds. Ivanti said these users should follow best practice guidance or filtering access to the API using either the built-in Portal ACL’s functionality, or an external WAF. More details on using the portal’s ACL functionality can be found here.
Via BleepingComputer