Ivanti has launched safety updates to deal with two safety flaws in Endpoint Supervisor Cellular (EPMM) software program which were chained in assaults to achieve distant code execution.
The vulnerabilities in query are listed beneath –
- CVE-2025-4427 (CVSS rating: 5.3) – An authentication bypass in Ivanti Endpoint Supervisor Cellular permitting attackers to entry protected assets with out correct credentials
- CVE-2025-4428 (CVSS rating: 7.2) – A distant code execution vulnerability in Ivanti Endpoint Supervisor Cellular permitting attackers to execute arbitrary code on the goal system
An attacker that efficiently exploits these flaws may chain them collectively to execute arbitrary code on a weak gadget with out authentication.
The issues affect the next variations of the product –
- 11.12.0.4 and prior (Fastened in 11.12.0.5)
- 12.3.0.1 and prior (Fastened in 12.3.0.2)
- 12.4.0.1 and prior (Fastened in 12.4.0.2)
- 12.5.0.0 and prior (Fastened in 12.5.0.1)
Ivanti, which credited CERT-EU for reporting the problems, stated it is “conscious of a really restricted variety of clients who’ve been exploited on the time of disclosure” and that the vulnerabilities are “related to two open-source libraries built-in into EPMM.”
The corporate, nevertheless, didn’t disclose the names of the impacted libraries. It is also not identified what different software program functions counting on the 2 libraries might be affected. Moreover, the corporate stated it is nonetheless investigating the instances, and that it doesn’t have dependable indicators of compromise related to the malicious exercise.
“The chance to clients is considerably lowered in the event that they already filter entry to the API utilizing both the built-in Portal ACLs performance or an exterior internet software firewall,” Ivanti famous.
“The difficulty solely impacts the on-prem EPMM product. It isn’t current in Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint administration resolution, Ivanti Sentry, or every other Ivanti merchandise.”
Individually, Ivanti has additionally shipped patches to comprise an authentication bypass flaw in on-premise variations of Neurons for ITSM (CVE-2025-22462, CVSS rating: 9.8) that would enable a distant unauthenticated attacker to achieve administrative entry to the system. There isn’t any proof that the safety defect has been exploited within the wild.
With zero-days in Ivanti home equipment turning into a lightning rod for risk actors in recent times, it is crucial that customers transfer shortly to replace their cases to the newest variations for optimum safety.
Replace
watchTowr Labs has launched a proof-of-concept (PoC) for the Ivanti EPMM exploit chain that mixes CVE-2025-4427 and CVE-2025-4428 to attain unauthenticated distant code execution.
The cybersecurity firm famous that, whereas a third-party known as “hibernate-validator” has been up to date from model 6.0.22 to six.2.5, it discovered that it was in a position to efficiently execute arbitrary instructions by sending a specifically crafted HTTP GET request to “/mifs/admin/relaxation/api/v2/featureusage.”
It additionally identified CVE-2025-4427 is not really an authentication bypass, however extra of an order of operations vulnerability, which happens when logic flaws exist throughout the order through which safety boundaries are utilized in code. “Is that this actually a vulnerability in a third-party library, or incorrect and harmful utilization of known-scary capabilities?,” safety researcher Piotr Bazydlo posed.
