Cybersecurity firm Wiz says threat actors are actively exploiting in the wild two recently patched Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities.
Tracked as CVE-2025-4427 and CVE-2025-4428, the flaws are described as an authentication bypass and a post-authentication remote code execution (RCE) issue, and have been assessed with ‘medium severity’ ratings. They were found in two open source libraries integrated into EPMM.
Ivanti released fixes for both bugs on May 13, warning of zero-day exploitation against a limited number of customers and noting that the risk of compromise is significantly reduced if ACLs functionality in the portal or an external WAF is used to filter access to the API.
The authentication bypass, Wiz explains, exists because EPMM’s route configuration does not properly handle requests, exposing routes without authentication due to missing rules in the Spring framework’s security configuration.
The RCE bug exists because user-supplied input within error messages is handled unsafely when processed via a Spring function, allowing an attacker to craft a format parameter and execute arbitrary Java code.
According to Wiz, while each of the two security defects is a medium-severity vulnerability, their combination should be treated as a critical security risk.
“These flaws, which stem from unsafe use of Java Expression Language in error messages and misconfigured routing, can be exploited together to achieve unauthenticated RCE,” Wiz notes.
The cybersecurity firm says it has observed ongoing in-the-wild exploitation of these flaws since May 16, after proof-of-concept (PoC) exploit code was published.
Wiz identified multiple payloads deployed as part of the observed attacks, including a Sliver beacon connecting to a command-and-control (C&C) IP address previously linked to the exploitation of other vulnerable appliances, including Palo Alto Networks products running PAN-OS.
“It appears that this IP address is still in operation by the threat actor, as its certificate hasn’t changed since November 2024. This continuity leads us to conclude that the same actor has been opportunistically targeting both PAN-OS and Ivanti EPMM appliances,” Wiz says.
Organizations are advised to update their Ivanti EPMM deployments to one of the patched versions, which include 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1.
Related: Fortinet Patches Zero-Day Exploited Against FortiVoice Appliances
Related: SAP Patches Another Exploited NetWeaver Vulnerability
Related: Output Messenger Zero-Day Exploited by Turkish Hackers for Iraq Spying
Related: Second OttoKit Vulnerability Exploited to Hack WordPress Sites
