Two recent vulnerabilities in Ivanti Endpoint Manager Mobile are being actively exploited by attackers. Researchers warn that not only on-premises but also cloud environments are targets of advanced attacks with far-reaching consequences.
On March 13, 2025, Ivanti announced that its Endpoint Manager Mobile (EPMM) product is vulnerable to a combination of security flaws. These are two separate vulnerabilities, designated CVE-2025-4427 and CVE-2025-4428. When combined, these vulnerabilities allow an attacker to execute malicious code remotely without authentication. This is a critical threat that is already being actively exploited in both on-premises and cloud environments.
The first vulnerability, CVE-2025-4427, is an authentication bypass caused by errors in the route configuration of EPMM. Certain routes appear to be accessible without users having to log in, due to essential security rules missing from the Spring Security configuration. The second vulnerability, CVE-2025-4428, exploits error handling functionality within Spring’s AbstractMessageSource. By processing user input insecurely using the Java Expression Language, an attacker can inject their own code via error messages. Combined, these flaws make it possible to take complete control of systems, even without valid user credentials.
Active exploitation in cloud environments
When announcing the vulnerability, Ivanti stated that only the on-premise version of EPMM was affected and that only a small number of customers were actually targeted by attacks. However, independent research by security company Wiz has revealed that the vulnerabilities are now also being actively exploited in cloud environments. Since May 16, 2025, specialists at Wiz Research have found that bad actors are targeting unpatched systems in cloud environments, particularly EPMM instances that are directly exposed to the internet. These findings seem to contradict Ivanti’s earlier communication, which has so far been cautious about the exact impact on cloud products.
Several attacks have used a known remote control tool called Sliver. This software is regularly used by advanced threat actors, such as state-sponsored groups from China and Russia and organized ransomware gangs. Sliver provides long-term and covert access to compromised systems and is used for a variety of malicious activities such as espionage, data theft, credential harvesting, and preparing ransomware attacks.
Parallel to vulnerable Palo Alto configurations
One of the command-and-control servers used employs the IP address 77.221.157.154. This address has previously been linked to attacks on vulnerable Palo Alto Networks devices. Analysis shows that the TLS certificate for this server has remained unchanged since November 2024. According to Wiz, this indicates that the same actor is deliberately exploiting both product lines.
The vulnerabilities can be traced back to the use of external open-source libraries within the EPMM product. Ivanti confirms that it is working with security partners and the developers of the affected libraries to determine whether these components themselves should be assigned a separate CVE. The dependence on external code libraries within a security product highlights the risks that can arise from insufficient control over the security of embedded software.
The US government agency CISA has now added both vulnerabilities to its list of actively exploited security vulnerabilities. Although the individual severity scores on the CVSS scale are 5.3 and 7.2, security experts consider the combined impact to be critical. The attacks appear to have increased following the publication of proof-of-concept codes by security groups such as watchTowr and ProjectDiscovery on May 15, 2025.
Organizations using Ivanti EPMM are strongly advised to apply the recently released patches immediately. Where this is not yet possible, temporary network restrictions on the affected API routes can help reduce the risk of abuse. Security solutions such as those offered by Wiz also provide options for actively detecting vulnerable or compromised systems in cloud environments. Acting quickly is essential to prevent further damage.