How to secure Ivanti EPMM today: Technical mitigation steps and best practices

Why Is Ivanti EPMM Security Critical Right Now?

The recent exploitation of Ivanti Endpoint Manager Mobile (EPMM) through a pair of chained vulnerabilities—CVE-2025-4427 and CVE-2025-4428—has raised urgent concerns for organizations relying on mobile device management platforms. These vulnerabilities, when used in tandem, allow unauthenticated attackers to bypass authentication mechanisms and execute arbitrary code remotely on unpatched systems. Given EPMM’s role in centrally managing enterprise mobile endpoints, a breach could enable lateral movement across an organization’s infrastructure, credential theft, and deep compromise of sensitive enterprise mobility environments.

While Ivanti has responded by releasing urgent patches and advisories, the scope of the threat continues to evolve. Questions have emerged regarding the origin of the flaws—whether they stem from open-source libraries or Ivanti’s integration choices—and security researchers have emphasized the importance of enterprise-wide remediation. With mobile endpoints increasingly forming the frontline of enterprise networks, timely action is critical.

What Are the CVE-2025-4427 and CVE-2025-4428 Vulnerabilities?

CVE-2025-4427 is a medium-severity authentication bypass flaw that allows an attacker to gain access to restricted areas of the EPMM system without presenting valid credentials. On its own, it carries a CVSS score of 5.3. However, when combined with CVE-2025-4428—a remote code execution vulnerability rated at 7.2—the risk profile escalates significantly. Security researchers at Rapid7 demonstrated that these vulnerabilities could be chained to allow injection of malicious templates into exposed web APIs, resulting in unauthenticated code execution.

The root of the issue, according to watchTowr researchers, lies not in a newly discovered flaw in open-source code, but rather in Ivanti’s improper use of a known unsafe function within the hibernate-validator library. This distinction is important, as it reframes the incident from a third-party software failure to one of vendor misimplementation. Misuse of open-source libraries remains a persistent risk in the modern software ecosystem, particularly when secure integration practices are not followed.

Step 1: Identify Affected Versions and Deploy Critical Patches

Enterprises must begin by identifying all instances of Ivanti EPMM currently deployed and determining whether they are running a vulnerable version. Ivanti has issued patches in versions 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1. Any version older than these remains vulnerable unless mitigation steps have been manually implemented. All nodes within high-availability clusters must be updated consistently to avoid inconsistency in failover behavior. Ivanti has also released documentation detailing the patch process, along with remediation steps for systems requiring custom configurations.

Administrators are advised to perform controlled patch rollouts in staging environments prior to production deployment. Additionally, configuration backups should be taken to preserve settings, policies, and provisioning templates in case rollback is needed.

Step 2: Scan for Exposure and Audit Public-Facing Endpoints

Security teams should proactively scan their infrastructure for internet-facing Ivanti EPMM instances. Public exposure significantly increases the risk of exploit attempts, particularly with proof-of-concept code now available to security researchers and threat actors alike. According to data from the Shadowserver Foundation, nearly 800 vulnerable EPMM instances remained publicly accessible as of May 18, down from 940 just days earlier. These instances may be running in cloud-hosted environments, behind proxies, or exposed due to misconfigured reverse routing rules.

Administrators should verify whether any APIs, login endpoints, or admin interfaces are reachable without access control. Even environments protected by VPNs or firewalls should be reviewed for exceptions, legacy policies, or externally reachable interfaces tied to EPMM. Where possible, access should be geo-fenced, limited to internal IP ranges, or restricted behind authentication gateways to reduce the exposure window.

Step 3: Monitor for Exploit Indicators and Log Anomalies

Given the stealthy nature of authentication bypasses and remote code execution flaws, visibility into server activity is crucial. Organizations should begin by reviewing historical logs for anomalous activity tied to API requests, configuration changes, or unexpected user session behavior. Key indicators include unauthenticated access to sensitive paths, server-side template injection patterns, sudden administrative access from unknown IPs, and abnormal command execution logs.

While no widespread exploitation has yet been reported in live customer environments, security vendors including Rapid7 have confirmed working proof-of-concept exploits. This makes proactive detection and forensic readiness essential. Logs should be preserved for extended periods and correlated with authentication server activity, mobile device sync patterns, and API token usage to identify early-stage compromise attempts.

Step 4: Harden EPMM Configuration and Reduce Attack Surface

Beyond immediate patching, organizations must take long-term steps to harden their EPMM deployment and reduce the available attack surface. This includes enforcing strict role-based access controls within the admin console, ensuring that remote administrative access is gated through multifactor authentication, and disabling any EPMM modules that are not actively used. Implementing a web application firewall with virtual patching capabilities can also provide real-time defense against exploit attempts that match known injection patterns.

Furthermore, integration points such as LDAP or Active Directory should be reviewed for privilege escalation risks, and any access tokens or authentication secrets used in the environment should be rotated as a precautionary measure. These changes, while operationally intensive, can significantly raise the bar for attackers seeking lateral movement within mobile infrastructure.

Step 5: Review Third-Party Libraries and Internal Use of Hibernate-Validator

The Ivanti incident also underscores the importance of managing open-source software dependencies properly. Development teams should perform code audits of any application using hibernate-validator or similar libraries, particularly those invoking dynamic template processing or user-generated expressions. If unsafe methods are detected, they should be sandboxed, deprecated, or replaced with safer alternatives. Updating to the latest stable release of hibernate-validator and tracking security advisories related to it will help reduce exposure in other parts of the organization’s application stack.

Establishing and maintaining a software bill of materials (SBOM) can facilitate this process by mapping all third-party components in use. Regular scans for vulnerable libraries, combined with automated alerts, allow for faster patching and proactive remediation across environments.

Step 6: Establish Ongoing Governance for Mobile Endpoint Security

Securing Ivanti EPMM should not be treated as a one-time response. Organizations must embed mobile device management within their broader cybersecurity governance framework. This includes implementing scheduled vulnerability scanning, maintaining an up-to-date SBOM, mandating regular security assessments of all mobile infrastructure, and integrating endpoint management platforms into security information and event management (SIEM) systems for centralized monitoring.

Security leaders should also review their incident response plans to ensure that MDM platforms are explicitly included. Given their centrality in modern hybrid work environments, MDM systems like EPMM are increasingly attractive targets for sophisticated threat actors. Establishing clear roles, procedures, and escalation paths for mobile-related incidents is a key component of organizational resilience.

Securing Ivanti Endpoint Manager Mobile in the wake of CVE-2025-4427 and CVE-2025-4428 requires more than patch application. It involves a systematic approach to remediation, exposure reduction, detection readiness, and long-term governance. By acting decisively across these fronts, CISOs and enterprise security teams can reduce immediate risk while laying the foundation for more resilient mobile infrastructure in the future.