Skip to main content

Active Exploitation of Zero-Day Vulnerabilities in Ivanti Endpoint Manager Mobile

Ivanti has addressed two exploited vulnerabilities that, when chained, could lead to unauthenticated remote code execution

Threat ID:
CC-4655
Threat Severity:
High
Published:
14 May 2025 11:08 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Ivanti has addressed two exploited vulnerabilities that, when chained, could lead to unauthenticated remote code execution

Threat details

Exploitation of CVE-2025-4427 and CVE-2025-4428 Affecting NHS Organisations

Ivanti has observed exploitation of CVE-2025-4427 and CVE-2025-4428 in the wild. The NHS England National Cyber Security Operations Centre assesses further exploitation as highly likely.

Update - There have been several public reports of broad exploitation of these vulnerabilities targeting multiple industrial sectors across multiple countries.

NHS England National CSOC is aware of reports that two NHS trusts have been impacted by exploitation of CVE-2025-4427 and CVE-2025-4428. CSOC teams are working with the affected organisations to investigate and offer support. These are active investigations and updates will be provided when new or relevant information becomes available.

Introduction

Ivanti has released a security advisory addressing two vulnerabilities affecting Endpoint Manager Mobile (EPMM). Ivanti EPMM provides an all-in-one solution for managing mobile, macOS and Windows devices within a network.

Ivanti has observed exploitation of the two vulnerabilities in the wild.

Vulnerability Details

  • CVE-2025-4427 is an 'authentication bypass' vulnerability with a CVSSv3 score of 5.3. If exploited, an unauthenticated attacker could gain access to protected resources. 
  • CVE-2025-4428 is a 'remote code execution' vulnerability with a CVSSv3 score of 7.3. If exploited an authenticated attacker could execute arbitrary code via crafted API requests.

When chained together, successful exploitation of CVE-2025-4427 and CVE-2025-4428 could lead to unauthenticated remote code execution

Threat updates

Date Update
28 May 2025 Updated Exploitation Details

Additional information added surrounding exploitation of CVE-2025-4427 and CVE-2025-4428

Remediation advice

Affected organisations must review the Ivanti Security Advisory and apply the relevant updates as soon as practicable. 

Note: Organisations must apply the relevant security update before marking this high severity Cyber Alert as complete.

Remediation steps

Type Step
Patch

Version 11.12

Update to version 11.12.0.5 or later


https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US&_gl=1*ptic1h*_gcl_au*MTU2MDIyNzU2Mi4xNzQ0MTgyMTcy
Patch

Version 12.3

Update to version 12.3.0.2 or later


https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US&_gl=1*ptic1h*_gcl_au*MTU2MDIyNzU2Mi4xNzQ0MTgyMTcy
Patch

Version 12.4

Update to version 12.4.0.2 or later


https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US&_gl=1*ptic1h*_gcl_au*MTU2MDIyNzU2Mi4xNzQ0MTgyMTcy
Patch

Version 12.5

Update to version 12.5.0.1 or later


https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US&_gl=1*ptic1h*_gcl_au*MTU2MDIyNzU2Mi4xNzQ0MTgyMTcy
Guidance

If you suspect your organisation may have been compromised, please immediately contact the NHS England National CSOC by calling 0300 303 5222 or email [email protected].

Additionally, please reach out to Ivanti's Support Team for further guidance.


https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US

Last edited: 28 May 2025 6:12 pm