Ivanti EPMM Flaws: Chained Zero-Days Enable Remote Code Execution

Ivanti has released critical security patches for their Endpoint Manager Mobile (EPMM) product, addressing two severe vulnerabilities that, when chained together, allow attackers to execute code remotely without authentication. These vulnerabilities are actively being exploited in the wild, posing an immediate risk to organizations using on-premises EPMM installations.

 The Vulnerabilities Explained

Security researchers have identified two critical flaws in Ivanti EPMM (formerly known as MobileIron Core):

1. CVE-2025-4427: An authentication bypass vulnerability in EPMM’s API component with a CVSS score of 5.3 (Medium). This flaw allows attackers to access protected resources without proper authentication credentials.
2. CVE-2025-4428: A remote code execution (RCE) vulnerability with a CVSS score of 7.2 (High). This vulnerability enables attackers to execute arbitrary code on targeted systems through maliciously crafted API requests.

When combined, these vulnerabilities create a perfect storm – allowing unauthenticated attackers to first bypass security controls and then execute malicious code with elevated privileges.

 Severity Assessment

These vulnerabilities pose a significant threat to organizations running on-premises EPMM installations. Ivanti has confirmed that the flaws are actively being exploited, though they report only “a very limited number of customers” have been affected so far.

The European Union’s cybersecurity service, CERT-EU, has flagged these vulnerabilities, suggesting potential targeting of government entities. The flaws stem from vulnerabilities in open-source libraries integrated into the EPMM product, making them particularly concerning for organizations with internet-facing EPMM instances.

 Threat Actors Behind the Exploits

While definitive attribution remains challenging, the sophisticated nature of these attacks suggests the involvement of advanced threat actors. The targeting profile and technical complexity required to chain these vulnerabilities point toward potential nation-state involvement or advanced persistent threat (APT) groups.

This isn’t Ivanti’s first encounter with such threats. In 2023, two zero-day vulnerabilities in EPMM (CVE-2023-35078 and CVE-2023-35081) were exploited against Norwegian government ministries. More recently, in early twenty twenty-five, Chinese-linked threat actors exploited a zero-day vulnerability (CVE-2025-22457) in Ivanti Connect Secure VPN appliances.

 Organizations at Risk

The following on-premises Ivanti EPMM versions are vulnerable:

• 11.12.0.4 and earlier
• 12.3.0.1 and earlier
• 12.4.0.1 and earlier
• 12.5.0.0 and earlier

Organizations with internet-facing EPMM instances face the highest risk. Notably, Ivanti’s cloud-based products – including Neurons for MDM, Sentry, and others – are NOT affected by these vulnerabilities.

 Remediation Steps

To protect your systems from these exploits, take the following actions immediately:

1. Update to the latest patched version:
   • 11.12.0.5
   • 12.3.0.2
   • 12.4.0.2
   • 12.5.0.1
2. If immediate patching isn’t possible, implement these mitigations:
   • Filter API access using Portal ACLs
   • Deploy an external Web Application Firewall (WAF)
   • For supported versions (12.3, 12.4, 12.5), apply the RPM file available through Ivanti support
3. Monitor for signs of compromise, including:
   • Unusual API access patterns
   • Unexpected file modifications
   • Creation of new administrative accounts
   • Suspicious outbound network connections
4. Restrict external access to EPMM instances to only trusted IP addresses

This incident comes during a busy month for security updates. Microsoft’s May twenty twenty-five Patch Tuesday addressed eighty-three vulnerabilities, including five actively exploited zero-days affecting Windows components. This highlights the ongoing trend of sophisticated attacks targeting enterprise management software due to their privileged access to corporate networks and data.

 How CinchOps Can Help Secure Your Business

In today’s complex threat environment, small and medium businesses need expert guidance to navigate cybersecurity challenges. CinchOps provides comprehensive managed IT services to protect your organization:

1. Proactive Security Monitoring: Our team continuously watches your systems for suspicious activity, ensuring early detection of potential threats before they become major breaches.
2. Vulnerability Management: We implement structured patching programs to ensure critical security updates are applied promptly across your environment.
3. Zero-Trust Implementation: We help you implement zero-trust architecture principles to minimize the impact of potential breaches and contain lateral movement.
4. Secure Mobile Device Management: We set up and maintain secure MDM solutions that protect your data while enabling productivity for your mobile workforce.
5. Incident Response Planning: We help you develop and test incident response plans so you’re prepared if a breach occurs, minimizing downtime and data loss.

Don’t wait until your business becomes a victim. Contact CinchOps today for a comprehensive security assessment and discover how our managed IT support near you can help protect your business from evolving cyber threats.

Stay secure, stay vigilant.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Microsoft May 2025 Patch Tuesday: Addresses 5 Actively Exploited Critical Zero-Days
For Additional Information on this topic: Ivanti fixes EPMM zero-days chained in code execution attacks

FREE CYBERSECURITY ASSESSMENT