Ivanti has released security patches to address two vulnerabilities in its Endpoint Manager Mobile (EPMM) software, which were being actively exploited in limited attacks. These vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, have the potential to allow attackers to execute remote code on vulnerable systems, posing a severe risk to organizations using the software.
The two vulnerabilities in question have been categorized as follows:
- CVE-2025-4427 (CVSS score: 5.3) – This vulnerability represents an authentication bypass in Ivanti Endpoint Manager Mobile. It enables attackers to access protected resources without proper credentials, thus bypassing authentication mechanisms.
- CVE-2025-4428 (CVSS score: 7.2) – This critical flaw allows attackers to execute arbitrary code on the targeted system remotely, granting them the ability to gain control of the system.
When exploited together, these vulnerabilities enable an attacker to gain remote code execution without needing to authenticate, thereby gaining full control over affected systems. Ivanti’s security advisory issued in May 2025 highlighted the potential severity of the vulnerabilities.
CVE-2025-4427 and CVE-2025-4428: Affected Versions and Resolved Versions
The vulnerabilities are present in several versions of Ivanti Endpoint Manager Mobile (EPMM). Specifically, the flaws are found in versions 11.12.0.4 and earlier, including all 12.3.0.1, 12.4.0.1, and 12.5.0.0 versions of EPMM. Ivanti has responded with patches to address these security gaps, with the fixed versions being:
- 11.12.0.5
- 12.3.0.2
- 12.4.0.2
- 12.5.0.1
Organizations using these affected versions are strongly advised to upgrade to the latest patched versions to mitigate the risk of attack. The updates can be accessed via Ivanti’s official download portal. Ivanti’s May 2025 advisory stated that the company is aware of a limited number of cases where these vulnerabilities were actively exploited at the time of disclosure.
Mitigation and Workaround
While Ivanti recommends upgrading to the patched versions of EPMM, customers who are unable to do so immediately can mitigate the risks by using specific security measures. The company suggests filtering access to the API by either utilizing the built-in Portal ACLs functionality or by deploying an external Web Application Firewall (WAF).
However, Ivanti also warned that the use of certain filtering mechanisms, such as the “ACLs” functionality, could have some limitations, especially for configurations involving frequently changing IP addresses or integrations like Windows Device Registrations via Autopilot or Microsoft Device Compliance and Graph API.
For those who prefer an alternative solution, Ivanti offers an RPM file to assist in mitigating vulnerabilities. Here’s how to install the RPM file:
- Connect to the instance using SSH and log in to the system CLI as the admin user (created during system installation).
- Enter EXEC PRIVILEGED mode by typing enable and entering the system password set during installation. The prompt will change from > to #.
- Run the following command to download and install the RPM file: install rpm url https://hostname/pathtorpm
- After the installation completes, type reload to restart the system and apply the update.
Conclusion
The vulnerabilities CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile highlight the serious risks to enterprise software, particularly the high severity of the remote code execution vulnerability (CVE-2025-4428) that could allow attackers to gain full control of affected systems.
To mitigate these risks, organizations using EPMM must stay vigilant by promptly applying security patches and following recommended best practices, such as implementing API access controls.
