Cybersecurity firm Wiz has issued a stark warning about active exploitation of two newly disclosed vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). Though individually rated as medium severity, these flaws — CVE-2025-4427 and CVE-2025-4428 — are now being chained by attackers to achieve unauthenticated remote code execution (RCE) in real-world attacks.
The vulnerabilities stem from issues in two open-source libraries integrated into Ivanti EPMM. One is an authentication bypass, caused by faulty route configurations in Spring framework security rules, which inadvertently expose APIs without requiring credentials. The second is a post-authentication RCE, where error messages mishandle user input via a Spring function, allowing attackers to inject malicious format parameters and run arbitrary Java code.
Wiz reports that these vulnerabilities have been exploited in the wild since May 16, just days after Ivanti released patches on May 13. The attackers are reportedly leveraging publicly available proof-of-concept (PoC) code to craft payloads that exploit both bugs together. One of the payloads observed included a Sliver beacon, a known command-and-control (C2) implant, contacting infrastructure previously associated with attacks on Palo Alto Networks PAN-OS appliances.
What’s especially concerning is the reuse of a persistent C2 IP address whose certificate hasn’t changed since November 2024. Wiz believes this points to the same threat actor opportunistically targeting multiple vulnerable enterprise platforms.
Despite the individual flaws being labeled medium risk, Wiz strongly recommends treating the combined threat as critical due to its ability to enable unauthenticated RCE. Organizations are urged to immediately patch affected EPMM deployments using the fixed versions:
11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1.
For added protection, enterprises should also ensure access control lists (ACLs) or external web application firewalls (WAFs) are configured to limit exposure of vulnerable endpoints.
