- New research points to flaws used in targets against cloud instances
- The flaws were previously found in on-prem attacks
- Ivanti released a patch so apply it now
Two bugs affecting Ivanti’s Endpoint Manager Mobile (EPMM), which were discovered and patched in mid-May, are still being abused in real-life attacks. In fact, they are now targeting cloud instances, as well.
This is according to cybersecurity researchers Wiz, who published a new report recently, detailing the new findings.
“Wiz Research has observed ongoing exploitation of these vulnerabilities in-the-wild targeting exposed and vulnerable EPMM instances in cloud environments since May 16th, 2025, coinciding with the publication of POCs by several sources including watchTowr and ProjectDiscovery,” the researchers said in their report.
CISA added the flaws to KEV
The bugs in question are an authentication bypass flaw, and a post-authentication remote code execution (RCE) flaw. They are tracked as CVE-2025-4427, and CVE-2025-4428, and neither was given a critical severity score. “While neither of these vulnerabilities have been assigned critical severity, in combination they should certainly be treated as critical,” Wiz added.
Ivanti addressed the vulnerabilities in a patch released in mid-May this year and warned, in a security advisory, of ongoing attacks.
“We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” the company said at the time. To address the issue, users should install Ivanti Endpoint Manager Mobile 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1.
Initially, Ivanti thought the issue only affected on-prem EPMM products. “It is not present in Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti Sentry, or any other Ivanti products,” the company explained. “We urge all customers using the on-prem EPMM product to promptly install the patch.”
In the meantime, CISA added the two bugs to its Known Exploited Vulnerabilities (KEV), giving Federal Civilian Executive Branch (FCEB) agencies a deadline to patch up. No threat actors claimed responsibility for any of the attacks so far.
Via The Register
Leave a comment