Ivanti patches two zero-days that could lead to RCE in Endpoint Manager Mobile
A patch and a workaround are available but Ivanti urges users patch up.
- Ivanti patched two flaws being chained to mount RCE attacks
- A "limited number" of companies were allegedly compromised
- Only on-prem products are affected
Ivanti has released a patch for two vulnerabilities in its Endpoint Manager Mobile (EPMM) software, that’s allegedly being chained in remote code execution (RCE) attacks in the wild.
The vulnerabilities are tracked as CVE-2025-4427, and CVE-2025-4428. The former is an authentication bypass in EPMM’s API, allowing threat actors to access protected resources. It was assigned a medium-severity score of 5.3.
The latter is an RCE vulnerability exploited through maliciously crafted API requests. This one was given a high severity score (7.2/10).
Save up to 68% on identity theft protection for Techradar readers
TechRadar editors praise Aura's upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal.
Preferred partner (What does this mean?)View Deal
Updating the tools
Ivanti says it’s seen it abused in attacks: "When chained together, successful exploitation could lead to unauthenticated remote code execution,” the company said in a security advisory. “We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure."
To address the issue, users should install Ivanti Endpoint Manager Mobile 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1.
"The issue only affects the on-prem EPMM product. It is not present in Ivanti Neurons for MDM, Ivanti's cloud-based unified endpoint management solution, Ivanti Sentry, or any other Ivanti products," the company further explained. "We urge all customers using the on-prem EPMM product to promptly install the patch."
Ivanti’s EPMM software is a popular solution across different industries, including healthcare, education, logistics, manufacturing, and government. According to The Shadowserver, there are hundreds of exposed instances at the moment, mostly in Germany (992), but with a significant number in the United States (418), as well.
Those that cannot apply the patch at this time can implement different workarounds. Ivanti said these users should follow best practice guidance or filtering access to the API using either the built-in Portal ACL’s functionality, or an external WAF. More details on using the portal’s ACL functionality can be found here.
Via BleepingComputer
You might also like
- Maximum severity vulnerability puts over 1200 SAP NetWeaver servers at risk of hijacking
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
