Skip to main content
close search
site logo

Ivanti Endpoint Mobile Manager customers exploited via chained vulnerabilities

The company said additional CVEs may be necessary for flaws in related open-source libraries, but researchers are raising questions.

Published May 19, 2025
David Jones's headshot
Reporter
Cyberhackers-Ransomware
(Gorodenkoff) via Getty Images

Hackers have successfully breached a limited number of Ivanti Endpoint Mobile Manager users by chaining together medium and high-severity vulnerabilities in the suite of mobile device management software.

The vulnerabilities, tracked as CVE-2025-4427 and CVE-2025-4428, can allow an unauthenticated attacker to achieve remote code execution. Ivanti is urging customers to immediately upgrade to a fixed version of the software. 

The company also warned that the two vulnerabilities are linked to flaws in open-source libraries that are integrated into EPMM. Security researchers say those third-party flaws could have broader implications. 

Ivanti said it is working with security partners and with maintainers of the affected libraries to determine whether additional CVEs are warranted. 

There is some disagreement about the issue, however. Researchers at watchTowr raised questions about whether the issue should be legitimately blamed on a third-party library vulnerability. The researchers claim Ivanti misused a known dangerous function in the hibernate-validator library. 

Meanwhile, researchers at the Shadowserver Foundation reported 798 instances of CVE-2025-4427 were unpatched and considered vulnerable as of Sunday, down from 940 instances on Thursday. 

The exploit chain involves linking CVE-2025-4427, an authentication bypass in EPMM that allows an attacker to gain access to protected resources without proper credentials, with CVE-2025-4428, a remote-code-execution flaw that allows an attacker to execute arbitrary code on a target system. 

The vulnerabilities have CVSS scores of 5.3 (medium severity) and 7.2 (high severity), respectively. When chained together, researchers at Rapid7 said, an unauthenticated attacker could reach a web API endpoint to inject server-side template patterns and exploit the high-severity flaw. 

Rapid7 has tested proof-of-concept exploits and confirmed they work, but has not yet seen any confirmed exploitation in customer environments, according to security researcher Ryan Emmons. 

Emmons added that it’s unclear which open-source libraries Ivanti is citing as the root cause of the flaw. A spokesperson for Ivanti was not immediately available for comment.

The security issues were first reported to Ivanti by CERT-EU, the Cybersecurity Service for the Union Institutions.

Editors' picks

Company Announcements

View all | Post a press release
Fraud on the Rise: Highway Blocks 400,000 Scams in Q1 2025
From Highway
May 19, 2025
Bitcoin Tops $104K as Cloud Mining Gains Momentum — JA Mining Offers Regulated Entry Point and…
From JAMining
May 17, 2025
Anvil Secure Appoints John Collins as Chief Revenue Officer Amid Shifting Information Security…
From Anvil Secure
May 07, 2025
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.