Ivanti EPMM exploited via CVE-2025-4427 and CVE-2025-4428: Remote code execution risk for enterprises

What Happened in the Ivanti EPMM Exploit Chain Disclosure?

A new cybersecurity incident involving Ivanti‘s Endpoint Manager Mobile (EPMM) platform has emerged, as threat actors exploited a pair of chained vulnerabilities—CVE-2025-4427 and CVE-2025-4428—to target enterprise mobile infrastructure. Ivanti confirmed that a limited number of customer environments have already been breached. The vulnerabilities, when combined, enable unauthenticated remote code execution, prompting immediate concern across the enterprise cybersecurity landscape.

The disclosure originated from CERT-EU, the cybersecurity body protecting EU institutions, and was validated through testing by security research firm Rapid7. Ivanti has acknowledged the vulnerabilities and has released patches to mitigate the risk. However, questions remain over the root cause of the issue and whether Ivanti’s integration of open-source libraries was handled appropriately.

How Do CVE-2025-4427 and CVE-2025-4428 Work Together?

The exploit chain begins with CVE-2025-4427, an authentication bypass flaw in Ivanti’s EPMM product that allows attackers to access protected resources without valid credentials. With a CVSS score of 5.3, it is categorised as medium severity. However, its impact is significantly magnified when combined with CVE-2025-4428, a high-severity vulnerability (CVSS 7.2) that allows for remote code execution on a target system.

According to researchers at Rapid7, chaining these vulnerabilities provides a path for attackers to reach web API endpoints and inject malicious server-side template patterns. This vector can lead to complete system compromise without authentication. Rapid7 has confirmed successful proof-of-concept exploitation but noted that confirmed intrusions remain limited so far. Researcher Ryan Emmons stated that while the attack path is technically viable, widespread exploitation in customer environments had not been documented at the time of disclosure.

Which Versions of Ivanti EPMM Are Affected?

Ivanti has issued patched versions of its EPMM platform to close the identified security gaps. The company urged all customers to upgrade to one of the following fixed releases: 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1. Older, unsupported versions remain vulnerable unless patched manually or upgraded. The company also stated that it is continuing to collaborate with security researchers, ecosystem partners, and the maintainers of third-party components integrated into its platform.

One of the main concerns is the use of open-source libraries, particularly the hibernate-validator library, within Ivanti’s EPMM stack. Ivanti has suggested that the vulnerabilities stem from flaws in these third-party components, indicating that further CVEs might be necessary. However, this attribution has been challenged by external researchers.

Why Are Researchers Questioning Ivanti’s Attribution to Open-Source Libraries?

The assertion that the vulnerabilities originated in open-source components has drawn sharp criticism from researchers at watchTowr. The team argued that the fault lies not in the third-party hibernate-validator library itself, but in the way Ivanti implemented it. Specifically, they claim Ivanti misused a known dangerous function within the library, ignoring secure programming practices and failing to validate user input properly.

This raises a larger issue within enterprise software development: the frequent use of open-source components without a full understanding of their security implications. The debate also highlights a growing challenge in software supply chain security. When vendors integrate third-party libraries without sufficient hardening or sandboxing, the resulting flaws often get misattributed, creating confusion around responsibility and delayed remediation.

How Widespread Is the Exposure?

As of Sunday, the Shadowserver Foundation observed 798 internet-facing Ivanti EPMM instances still vulnerable to CVE-2025-4427, down from 940 detected three days earlier. While the trend suggests that some organizations have acted swiftly to deploy the patch, hundreds remain unprotected and potentially exposed to exploitation.

This situation underlines the urgency of vulnerability management in enterprise IT environments, especially for software that manages endpoint and mobile infrastructure. Given the sensitive nature of mobile device management platforms and their access to authentication credentials, certificates, and provisioning data, the potential damage from a successful exploit can be substantial.

What Are the Broader Implications for Supply Chain Security?

The Ivanti incident is the latest in a growing list of security events tied to third-party code integration. As enterprise software increasingly depends on open-source libraries to accelerate development cycles, the attack surface has expanded significantly. Misconfigurations, improper use of library functions, and lack of ongoing dependency audits can all lead to critical vulnerabilities that attackers are eager to exploit.

Ivanti’s statement that it is still working with open-source library maintainers to evaluate whether more CVEs should be assigned may point to the complexity of tracking software lineage. It also suggests that deeper architectural audits are necessary across the board—both within Ivanti’s ecosystem and among other software vendors relying on similar modules.

What Are Security Experts Recommending?

Industry experts have recommended that Ivanti customers apply patches immediately, review internal logs for unusual API activity, and perform security audits of mobile infrastructure environments. Additionally, organizations are advised to review their broader usage of the hibernate-validator library and related server-side components to ensure no further misuse exists in custom-developed applications or other vendor platforms.

More broadly, the episode has renewed calls for better software bill of materials (SBOM) tracking, clearer vendor accountability when integrating open-source tools, and heightened investment in secure development lifecycle practices. Enterprises are increasingly being urged to adopt zero-trust security models, enforce strict access controls for administration consoles, and regularly audit software configurations.

What Comes Next for Ivanti and Affected Customers?

While Ivanti has been proactive in releasing patched versions and initiating coordinated vulnerability disclosure, the reputational impact may linger, especially given the disagreement over the root cause. Questions remain about the thoroughness of Ivanti’s software validation process and whether further vulnerabilities may yet be discovered in other parts of its codebase.

The fact that the first report came from CERT-EU also suggests high-level institutional concern, especially for organizations operating in the public sector or with sensitive infrastructure. Going forward, continued monitoring for exploitation attempts and deeper code audits are expected, both by Ivanti and by its enterprise customers.

The debate over attribution—whether the vulnerability lies in open-source components or in Ivanti’s usage—may eventually influence how CVEs are reported and how liability is assigned. In a regulatory environment increasingly focused on software transparency, such distinctions could have far-reaching legal and compliance consequences.

Ivanti’s EPMM vulnerability chain is a sobering reminder that even medium-severity bugs, when chained effectively, can create high-impact attack paths. As organizations scramble to patch and validate their systems, the industry must also reflect on its reliance on open-source software and the responsibilities that come with integration. Whether this event marks the beginning of broader scrutiny into MDM platforms remains to be seen, but it is already serving as a cautionary case for enterprises navigating the complex terrain of modern software supply chains.