Full Report
The besieged security vendor maintains the latest exploited vulnerabilities in its products are entirely linked to unspecified security issues in open-source libraries. Some researchers aren’t buying it. The post Questions mount as Ivanti tackles another round of zero-days appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Unauthenticated RCE in Ivanti Endpoint Manager Mobile (EPMM) via Intertwined Flaws
## CVE Details
- CVE ID: CVE-2025-4427, CVE-2025-4428 (Exploited as a pair)
- CVSS Score: Not explicitly provided, but implied High due to unauthenticated RCE.
- CWE: Not explicitly stated in detail, but details point towards Improper Access Control/Authorization (CVE-2025-4427) and Command Injection/RCE (CVE-2025-4428).
## Affected Systems
- Products: Ivanti Endpoint Manager Mobile (EPMM) - On-premise versions.
- Versions: Specific vulnerable versions not listed, but the advisory covers current deployed installations before patches were released.
- Configurations: Internet-facing deployments are the primary targets observed.
## Vulnerability Description
This vulnerability involves a chain of two closely intertwined flaws leading to unauthenticated Remote Code Execution (RCE).
1. **CVE-2025-4427**: An authentication bypass flaw (described by researchers as an incorrect order of operations/missing access control enforcement) affecting a web API endpoint, allowing unauthenticated access to that endpoint.
2. **CVE-2025-4428**: Following successful exploitation of CVE-2025-4427, unauthenticated RCE can be initiated via this second flaw within a single request sequence.
Ivanti suggests the root cause is related to the incorrect implementation of external open-source libraries, though researchers assert the fault lies in Ivanti's misuse of those libraries.
## Exploitation
- Status: Exploited in the wild (Zero-day exploitation observed prior to disclosure). Nation-state actors (UNC5221) and other cybercriminals are actively exploiting this.
- Complexity: Low (Described as a "single request, point and shoot," not requiring a complicated multi-stage chain).
- Attack Vector: Network (Targeting internet-facing deployments).
## Impact
- Confidentiality: High (Implied by RCE and data theft reported against victims).
- Integrity: High (RCE allows modification/control over the system).
- Availability: High (RCE can lead to denial of service or system compromise).
## Remediation
### Patches
- Specific patched versions are not detailed, but Ivanti has released fixes for the vulnerabilities associated with the open-source libraries used in EPMM. Customers should upgrade to the versions specified in the relevant **May 13 security advisory**.
### Workarounds
- No specific temporary workarounds were detailed in the provided context beyond applying the vendor patch immediately. Network segmentation or restricting external access to internet-facing EPMM deployments would serve as a critical preventative step if patching is delayed.
## Detection
- Indicators of Compromise (IoCs): Increased scanning activity targeting Ivanti EPMM products has been observed (nine-fold surge reported prior to patch release). Specific malicious IPs initiating exploit attempts have been documented since May 16.
- Detection Methods and Tools: Monitoring web traffic logs and endpoints for unexpected requests targeting specific API endpoints that precede RCE payload execution. Security teams should cross-reference IoCs against network monitoring solutions.
## References
- Vendor Advisories: Ivanti May 13 Security Advisory
- Relevant Links:
- eclecticiq dot com/china-nexus-threat-actor-actively-exploiting-ivanti-endpoint-manager-mobile-cve-2025-4428-vulnerability
- greynoise dot io/blog/surge-ivanti-connect-secure-scanning-activity
- greynoise dot io/tags/ivanti-epmm-cve-2025-4428-rce-attempt
- cyberscoop dot com/ivanti-exploited-vulnerabilities-network-edge-devices-kev-list/
- cisa dot gov/known-exploited-vulnerabilities-catalog?f%5B0%5D=vendor_project%3A817\&page=0
- labs dot watchtowr dot com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/