Ivanti Fixes Epmm Zero-Days Chained In Code Execution Attacks

On May 15, 2025, Ivanti disclosed that its Endpoint Manager Mobile (EPMM)—formerly known as MobileIron Core—is vulnerable to two chained zero-day vulnerabilities actively exploited in the wild. These vulnerabilities allow unauthenticated remote code execution and have been observed in limited attacks. The flaws specifically affect on-premises deployments of EPMM, not cloud-based services such as Ivanti Neurons for MDM.

Severity Level: High

VULNERABILITY OVERVIEW:

1. Ivanti disclosed two severe vulnerabilities, CVE-2025-4427 and CVE-2025-4428, affecting its Endpoint Manager Mobile (EPMM) products.
2. Vulnerability Details:
   • CVE-2025-4427 (CVSS Score: 5.3) – Allows an attacker to bypass authentication controls in the API component of EPMM.
   • CVE-2025-4428 (CVSS Score: 7.2) – Enables execution of arbitrary code via specially crafted requests sent to exposed API endpoints.
3. Affected products: Ivanti EPMM versions – 11.12.0.4 and prior, 12.3.0.1 and prior, 12.4.0.1 and prior, 12.5.0.0 and prior
4. Root Cause:
   • The vulnerabilities are believed to originate from two open-source libraries embedded within the EPMM codebase, though Ivanti has not disclosed the specific libraries involved.
   • Improper input validation and session management within EPMM’s API endpoints likely contributed to the bypass and RCE conditions.
   • A lack of robust API access controls and request sanitization allowed attackers to forge requests that evaded standard authentication workflows and escalated privileges to code execution.
5. Exploitation:
   • The attacker targets publicly exposed EPMM instances. Uses CVE-2025-4427 to bypass authentication and gain access to restricted API functions.
   • Leverages CVE-2025-4428 to craft API calls that inject and execute malicious code on the system.
   • No authentication or session tokens are required, making the exploit ideal for automation in mass attacks.

DATA STOLEN DURING THE BREACH:

• According to latest update on the M&S website the following data might have been stolen during the breach: Customers Full name, Email address, Home address, Phone number, Date of birth, Online order history, Household information, Sparks Pay reference numbers, and “Masked” payment card details.

LESSONS LEARNED:

• Lack of Adequate Network Segmentation: The attackers’ ability to gain access to the NTDS.dit file and laterally spread within the network suggests a failure in adequately segmenting critical systems and sensitive data. This allowed attackers to escalate privileges and move across the network undetected.
• Inadequate Credential Protection: The exposure of password hashes from the NTDS.dit file highlights a significant issue with the storage and management of credentials, potentially indicating weaknesses in password management or insufficient security measures, like multi-factor authentication (MFA), for critical systems.
• Delayed Detection: The fact that the breach went undetected for several months indicates potential gaps in M&S’s threat detection capabilities and incident response protocols.

MITIGATION:

• Ivanti states that the customers can mitigate the threat by following best practice guidance of filtering access to the API using either the built in Portal ACLs functionality or an external WAF. You can find additional information on using the Portal ACLs functionality HERE.
• Additionally, Ivanti provides an RPM file if customers need an alternative option. Customers will need to open a Support Case to receive the RPM file.

Recommendations:

1. Apply the official patches released by Ivanti for both CVE-2025-4427 and CVE-2025-4428 immediately.
2. Fixed versions: 11.12.0.5, 12.3.0.2, 12.4.0.2, 12.5.0.1

Source:

• https://www.bleepingcomputer.com/news/security/ivanti-fixes-epmm-zero-days-chained-in-code-execution-attacks/
• https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.