9 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability
CVSS Score: 7.5 (High)
Identifier: CVE-2025-4427
Exploit or POC: Yes – Actively exploited in the wild
Update: CVE-2025-4427 – Ivanti Security Advisory
Description: CVE-2025-4427 is a critical authentication bypass vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM). The flaw exists due to insufficient validation in the authentication process, allowing remote unauthenticated attackers to bypass access controls. When combined with CVE-2025-4428, attackers can gain unauthorized remote code execution capabilities.
This vulnerability has been exploited in targeted attacks across sectors including government, aviation, healthcare, and finance. Exploitation campaigns have involved the use of malware such as KrustyLoader and C2 frameworks like Sliver, enabling threat actors to deploy payloads and extract sensitive data.
Affected Versions:- Ivanti EPMM versions up to and including 11.12.0.4
- Versions up to and including 12.3.0.1
- Versions up to and including 12.4.0.1
- Versions up to and including 12.5.0.0
Mitigation Recommendation: Ivanti has released security updates addressing the vulnerability. Organizations are urged to upgrade to the latest secure versions:
- 11.12.0.5 or later
- 12.3.0.2 or later
- 12.4.0.2 or later
- 12.5.0.1 or later
Note: Due to the critical severity and confirmed exploitation, immediate remediation actions are essential to prevent compromise. Security teams should ensure patches are applied and systems are closely monitored.
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
CVSS Score: 8.8 (High)
Identifier: CVE-2025-4428
Exploit or POC: Yes – Actively exploited in the wild
Update: CVE-2025-4428 – Ivanti Security Advisory
Description: CVE-2025-4428 is a high-severity remote code execution (RCE) vulnerability in Ivanti Endpoint Manager Mobile (EPMM). The flaw arises from improper control of code generation in the API component, allowing authenticated attackers to execute arbitrary code via crafted API requests. This vulnerability has been actively exploited in the wild, often in conjunction with CVE-2025-4427, an authentication bypass vulnerability, to achieve unauthenticated RCE.
Threat actors have exploited this vulnerability chain to deploy various payloads, including the KrustyLoader malware and Sliver C2 beacons, and to exfiltrate sensitive data from compromised systems. The attacks have targeted organizations across multiple sectors, including healthcare, telecommunications, aviation, municipal government, finance, and defense, primarily in Europe, North America, and the Asia-Pacific region.
Affected Versions:
- Ivanti Endpoint Manager Mobile (EPMM) versions up to and including 11.12.0.4
- Versions up to and including 12.3.0.1
- Versions up to and including 12.4.0.1
- Versions up to and including 12.5.0.0
Mitigation Recommendation: Ivanti has released patches addressing this vulnerability. Administrators are strongly advised to apply the updates immediately:
- Upgrade to version 11.12.0.5 or later
- Upgrade to version 12.3.0.2 or later
- Upgrade to version 12.4.0.2 or later
- Upgrade to version 12.5.0.1 or later
If immediate patching is not feasible, it is recommended to implement network-level restrictions on the /rs/api/v2/* and /mifs/rs/api/v2/* endpoints until patches are applied. Additionally, monitor systems for any unusual activity, such as unauthorized access attempts or unexpected network traffic.
Note: Given the active exploitation of this vulnerability, prompt action is essential to secure affected systems. Regularly reviewing and applying security updates is vital to maintaining the integrity and security of your infrastructure.
