Ivanti has launched security updates to handle two security flaws in Endpoint Supervisor Cellular (EPMM) software program which were chained in assaults to achieve distant code execution.
The vulnerabilities in query are listed beneath –
- CVE-2025-4427 (CVSS rating: 5.3) – An authentication bypass in Ivanti Endpoint Supervisor Cellular permitting attackers to entry protected assets with out correct credentials
- CVE-2025-4428 (CVSS rating: 7.2) – A distant code execution vulnerability in Ivanti Endpoint Supervisor Cellular permitting attackers to execute arbitrary code on the goal system
The issues impression the next variations of the product –
- 11.12.0.4 and prior (Fastened in 11.12.0.5)
- 12.3.0.1 and prior (Fastened in 12.3.0.2)
- 12.4.0.1 and prior (Fastened in 12.4.0.2)
- 12.5.0.0 and prior (Fastened in 12.5.0.1)
Ivanti, which credited CERT-EU for reporting the problems, stated it is “conscious of a really restricted variety of prospects who’ve been exploited on the time of disclosure” and that the vulnerabilities are “related to two open-source libraries built-in into EPMM.”
The corporate, nonetheless, didn’t disclose the names of the impacted libraries. It is also not recognized what different software program purposes counting on the 2 libraries may very well be affected. Moreover, the corporate stated it is nonetheless investigating the instances, and that it doesn’t have dependable indicators of compromise related to the malicious exercise.
“The danger to prospects is considerably lowered in the event that they already filter entry to the API utilizing both the built-in Portal ACLs performance or an exterior internet utility firewall,” Ivanti famous.
“The problem solely impacts the on-prem EPMM product. It isn’t current in Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint administration answer, Ivanti Sentry, or some other Ivanti merchandise.”
Individually, Ivanti has additionally shipped patches to comprise an authentication bypass flaw in on-premise variations of Neurons for ITSM (CVE-2025-22462, CVSS rating: 9.8) that might enable a distant unauthenticated attacker to achieve administrative entry to the system. There is no such thing as a proof that the security defect has been exploited within the wild.
With zero-days in Ivanti home equipment changing into a lightning rod for risk actors lately, it is crucial that customers transfer shortly to replace their cases to the most recent variations for optimum safety.
