Security researchers at Wiz have raised the alarm about active exploitation of two newly patched Ivanti EPMM vulnerabilities, tracked as CVE-2025-4427 and CVE-2025-4428. These bugs—though individually rated as medium severity—pose a critical threat when combined, enabling attackers to achieve unauthenticated remote code execution (RCE).
Ivanti issued patches for both flaws on May 13, urging customers to update their systems immediately. The company noted that zero-day attacks had already been observed, but emphasized that risk could be mitigated if Access Control Lists (ACLs) or external web application firewalls (WAFs) are used to filter API traffic.
According to Wiz, the first vulnerability is an authentication bypass, caused by improperly handled route configurations within the Spring security framework. This misconfiguration lets unauthenticated users access sensitive endpoints. The second bug involves a remote code execution flaw, where user-supplied input in error messages is dangerously evaluated using the Java Expression Language (JUEL) in a Spring function. By manipulating the input format, attackers can inject and execute arbitrary Java code.
Wiz researchers stress that when these two issues are chained together, they allow full system compromise without authentication—elevating the overall risk to a critical level.
Threat Actor Uses Known C2 Infrastructure
Since May 16, Wiz has observed active in-the-wild exploitation of these Ivanti EPMM vulnerabilities following the release of proof-of-concept (PoC) exploit code. Attackers are leveraging this chain to deploy malicious payloads, including a Sliver beacon, which connects to a known command-and-control (C2) server. This C2 IP address has been previously linked to attacks targeting vulnerable PAN-OS appliances from Palo Alto Networks.
Wiz notes that the C2 server’s certificate remains unchanged since November 2024, indicating that the same threat actor is behind both campaigns. This persistence suggests a coordinated and opportunistic effort to compromise unpatched enterprise systems across multiple vendors.
To defend against these attacks, organizations using Ivanti Endpoint Manager Mobile are strongly advised to upgrade to one of the patched versions:
- 11.12.0.5
- 12.3.0.2
- 12.4.0.2
- 12.5.0.1
Wiz emphasized that even though these flaws were discovered in open source libraries within EPMM, their impact is serious—especially when exploited in tandem. Enterprises are urged to audit external access to the API, apply updates promptly, and monitor for suspicious activity involving Sliver payloads or known C2 indicators.
