Full Report
The besieged security vendor maintains the latest exploited vulnerabilities in its products are entirely linked to unspecified security issues in open-source libraries. Some researchers aren’t buying it. The post Questions mount as Ivanti tackles another round of zero-days appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Unauthenticated Remote Code Execution in Ivanti EPMM via Intertwined Flaws
## CVE Details
- CVE ID: CVE-2025-4427 and CVE-2025-4428 (Exploited as a chain)
- CVSS Score: *Information not provided in the text for specific scores, but exploited and critical.* (Severity: Critical - based on RCE outcome)
- CWE: *Not explicitly detailed, but related to access control bypass and improper library implementation.*
## Affected Systems
- Products: Ivanti Endpoint Manager Mobile (EPMM)
- Versions: All versions prior to the patch release.
- Configurations: Internet-facing deployments are the primary targets.
## Vulnerability Description
The reported vulnerabilities (CVE-2025-4427 and CVE-2025-4428) exist as a closely intertwined chain allowing for unauthenticated Remote Code Execution (RCE) against internet-facing Ivanti EPMM deployments.
1. **CVE-2025-4427 (Access Control Flaw):** Researchers suggest this is an incorrect order of operations vulnerability (or a complete lack of access control enforcement) allowing attackers to access a web API endpoint without authentication.
2. **CVE-2025-4428 (RCE):** Following the access granted by CVE-2025-4427, attackers can initiate unauthenticated RCE via this second vulnerability in a single attack request chain.
Ivanti attributes the root cause to flaws in integrated open-source libraries, however, external researchers assert the vulnerabilities stem from the incorrect implementation or misuse of these libraries within Ivanti's own code.
## Exploitation
- Status: Exploited in the wild (Reported as zero-days prior to disclosure)
- Complexity: Low (Described as a "single request, point and shoot" operation)
- Attack Vector: Network (Targeting internet-facing installations)
## Impact
- Confidentiality: High (Implied due to data theft observed by threat actors)
- Integrity: High (RCE allows system takeover)
- Availability: High (RCE)
## Remediation
### Patches
- Ivanti has released fixes internally for the proprietary code implementing the flawed logic associated with these CVEs. Customers must apply the vendor's relevant security updates for Ivanti EPMM.
*(Specific patch versions were not detailed in the source material, only that Ivanti released a fix).*
### Workarounds
- No specific workarounds were detailed in the source, but segmentation or restricting internet-facing access to the EPMM product is implicitly necessary until patching is complete.
## Detection
- **Indicators of Compromise (IoC):** Observe network traffic attempting to hit specific EPMM API endpoints that should require authentication. Multiple threat actors, including UNC5221, are actively scanning and exploiting these endpoints.
- **Detection Methods and Tools:** Monitoring tools (like GreyNoise) have been used to spot a surge in scanning activity targeting Ivanti EPMM servers immediately following disclosure. SIEM/EDR systems should monitor for unexpected process execution originating from the EPMM application post-successful exploitation chain completion.
## References
- Vendor Advisory: d.efang(://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US)
- Research Note (UNC5221 Activity): d.efang(://blog.eclecticiq.com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability)
- WatchTowr Reproduction: d.efang(://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/)