Ivanti Addresses EPMM Vulnerabilities Leading to Remote Code Execution in Select Attacks

May 14, 2025
Vulnerability / Endpoint Security

Ivanti has issued security updates to remedy two vulnerabilities in its Endpoint Manager Mobile (EPMM) software, which have been exploited in limited attacks for remote code execution. The vulnerabilities include:

  • CVE-2025-4427 (CVSS score: 5.3) – An authentication bypass that enables attackers to access protected resources without valid credentials.
  • CVE-2025-4428 (CVSS score: 7.2) – A remote code execution vulnerability allowing arbitrary code execution on affected systems.

Exploiting these vulnerabilities could allow an attacker to chain them together to execute arbitrary code on a compromised device without authentication. The affected versions of the product are:

  • 11.12.0.4 and earlier (fixed in 11.12.0.5)
  • 12.3.0.1 and earlier (fixed in 12.3.0.2)
  • 12.4.0.1 and earlier (fixed in 12.4.0.2)
  • 12.5.0.0 and earlier (fixed in 12.5.0.1)

Ivanti has credited CERT-EU for reporting these vulnerabilities.

Ivanti Issues Patches for Vulnerabilities in EPMM Software Exploited in Limited Attacks

On May 14, 2025, Ivanti announced critical security updates addressing two vulnerabilities in its Endpoint Manager Mobile (EPMM) software. These flaws have been utilized in limited attacks to facilitate remote code execution, raising significant concerns for businesses relying on this technology for mobile device management.

The first vulnerability, identified as CVE-2025-4427, has a CVSS score of 5.3 and allows for an authentication bypass within the EPMM software. This security gap enables attackers to access restricted resources without the necessary credentials, creating an avenue for unauthorized exploitation. The second vulnerability, CVE-2025-4428, carries a higher CVSS score of 7.2, signifying a more severe threat. This flaw permits attackers to execute arbitrary code on affected systems, significantly heightening the risk of system compromise.

When an attacker successfully exploits both vulnerabilities, they can potentially chain the flaws to execute arbitrary code on a vulnerable device without prior authentication. The impact is particularly pronounced for organizations using specific outdated EPMM versions. Notably, versions 11.12.0.4 and earlier, 12.3.0.1 and earlier, 12.4.0.1 and earlier, and 12.5.0.0 and earlier are affected. All users of these versions are advised to upgrade to their respective patched versions for enhanced security.

The exploits primarily target organizations utilizing Ivanti’s solutions, which are popular among enterprises looking to streamline mobile device management and security. Given the widespread adoption of EPMM, the vulnerabilities pose a comprehensive risk to businesses, potentially leading to data breaches if not addressed promptly.

In terms of the techniques that may have been employed during these attacks, the MITRE ATT&CK framework offers valuable insights. The adversary could have utilized initial access methods exploiting the authentication bypass, followed by persistence tactics to maintain access. The tactics of privilege escalation may also have been relevant, considering the remote code execution capability offered by the second vulnerability.

The attack underscores the imperative for businesses to remain vigilant regarding software vulnerabilities and to ensure that all systems are updated promptly. Security experts consistently stress that proactive measures, including regular software updates and vulnerability assessments, are essential for maintaining robust cybersecurity defenses.

Ivanti’s timely response and the acknowledgment of CERT-EU for reporting these vulnerabilities showcase the importance of collaboration in cybersecurity. As businesses navigate an increasingly complex threat landscape, prioritizing security and staying informed about emerging vulnerabilities is key to mitigating risks effectively.

Source link

Related Posts

Fortinet Addresses CVE-2025-32756: Critical Zero-Day RCE Vulnerability in FortiVoice Systems

May 14, 2025
Vulnerability / Network Security

Fortinet has issued a fix for a severe security vulnerability exploited as a zero-day in attacks against FortiVoice enterprise phone systems. Identified as CVE-2025-32756, this flaw has a high CVSS score of 9.6 out of 10.0. According to the company’s advisory, “A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera may enable a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted HTTP requests.” Fortinet has confirmed that the flaw has been actively exploited in the wild within FortiVoice systems, although details regarding the scope of the attacks and the identities of the attackers remain undisclosed. Notably, the attacker engaged in network scans of devices, deleted system crash logs, and enabled FCGI debugging to capture credentials from the system and SSH login attempts. The vulnerability impacts the following products and versions: FortiCamera 1.1, 2.0 (Update to a secure release recommended).

Microsoft Resolves 78 Vulnerabilities, Including 5 Actively Exploited Zero-Days; CVSS 10 Flaw Affects Azure DevOps Server

May 14, 2025
Endpoint Security / Vulnerability

Microsoft has released updates addressing 78 security vulnerabilities across its software, including five zero-days currently being exploited in the wild. Among these flaws, 11 are classified as Critical, 66 as Important, and one as Low in severity. The patches include 28 vulnerabilities that enable remote code execution, 21 related to privilege escalation, and 16 classified as information disclosure issues. This release also coincides with fixes for eight security flaws found in the Chromium-based Edge browser since last month’s Patch Tuesday. The details of the actively exploited vulnerabilities are as follows:

  • CVE-2025-30397 (CVSS score: 7.5) – Scripting Engine Memory Corruption Vulnerability
  • CVE-2025-30400 (CVSS score: 7.8) – Microsoft Desktop Window Manager (DWM) Core Library Elevation of Privilege Vulnerability
  • CVE-2025-3270…

Samsung Addresses CVE-2025-4632, Exploited in the Wild for Mirai Botnet Deployment Through MagicINFO 9 Vulnerability

May 14, 2025
Vulnerability / Malware

Samsung has issued software updates to fix a critical security vulnerability in MagicINFO 9 Server that has been actively targeted. Identified as CVE-2025-4632 (CVSS score: 9.8), this path traversal flaw allows attackers to write arbitrary files with system-level permissions. According to the advisory, the vulnerability arises from “improper limitation of a pathname to a restricted directory” in versions before 21.1052 of the MagicINFO 9 Server. Notably, CVE-2025-4632 serves as a patch bypass for a previously addressed vulnerability, CVE-2024-7399, which was mitigated by Samsung in August 2024. Shortly after a proof-of-concept was released by SSD Disclosure on April 30, 2025, CVE-2025-4632 began to be exploited in the wild, with reports of it being used to deploy the Mirai botnet. Initial investigations into these attacks mistakenly pointed to CVE-2024-7399, but cybersecurity firm Huntress later clarified the situation.

Russia-Linked APT28 Exploits MDaemon Zero-Day to Target Government Webmail Servers

May 15, 2025
Vulnerability / Email Security

A cyber espionage operation associated with a Russian threat actor is reportedly compromising webmail servers, including Roundcube, Horde, MDaemon, and Zimbra, by exploiting cross-site scripting (XSS) vulnerabilities, notably a zero-day flaw in MDaemon. This activity, coded as Operation RoundPress by ESET, began in 2023 and has been linked with moderate confidence to the state-sponsored hacking group APT28, also known by various names such as BlueDelta, Fancy Bear, and Sednit.

“The primary objective of this operation is to extract sensitive data from targeted email accounts,” stated ESET researcher Matthieu Faou in a report shared with The Hacker News. “While most victims are governmental and defense entities in Eastern Europe, we have also noted targets across Africa, Europe, and beyond.”