Wiz researchers report that two recently patched Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities—CVE-2025-4427 and CVE-2025-4428—are being actively chained in the wild to achieve unauthenticated remote code execution (RCE). The first flaw is an authentication bypass stemming from misconfigured Spring framework routing, while the second involves unsafe handling of Java Expression Language in error messages, allowing arbitrary code execution. Although each vulnerability is individually rated medium severity, their combination creates a critical exploitation path. Attackers are deploying Sliver beacons to known malicious infrastructure also used against Palo Alto PAN-OS products, suggesting targeted, opportunistic exploitation across vulnerable platforms. Ivanti issued patches on May 13, but organizations not filtering access to the affected APIs remain at elevated risk.
Wade Ellery, Field CTO, Radiant Logic had this to say:
“This is a textbook example of how low-to-moderate vulnerabilities can escalate into high-impact breaches when chained together. It’s also a reminder that the complexity and interdependencies throughout today’s IT infrastructure creates almost continuous opportunities for attack. Given these vulnerabilities it is even more critical that the last line of defense to a breach, the identity first security layer, be as fortified as possible. Identity observability provides a 360 degree view and active management of identity data attack vectors when proactively deployed and maintained. As attackers continue to innovate, but without the ability to compromise account access their impact is severely blunted.”
This underscores the need to “patch all the things” the moment that patches for something become available as threat actors will simply do what’s illustrated here. Which isn’t good if you haven’t patched all your gear.
Like this:
Like Loading...
Related
This entry was posted on May 21, 2025 at 1:49 pm and is filed under Commentary with tags Ivanti. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Ivanti vulnerabilities being actively chained in the wild
Wiz researchers report that two recently patched Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities—CVE-2025-4427 and CVE-2025-4428—are being actively chained in the wild to achieve unauthenticated remote code execution (RCE). The first flaw is an authentication bypass stemming from misconfigured Spring framework routing, while the second involves unsafe handling of Java Expression Language in error messages, allowing arbitrary code execution. Although each vulnerability is individually rated medium severity, their combination creates a critical exploitation path. Attackers are deploying Sliver beacons to known malicious infrastructure also used against Palo Alto PAN-OS products, suggesting targeted, opportunistic exploitation across vulnerable platforms. Ivanti issued patches on May 13, but organizations not filtering access to the affected APIs remain at elevated risk.
Wade Ellery, Field CTO, Radiant Logic had this to say:
“This is a textbook example of how low-to-moderate vulnerabilities can escalate into high-impact breaches when chained together. It’s also a reminder that the complexity and interdependencies throughout today’s IT infrastructure creates almost continuous opportunities for attack. Given these vulnerabilities it is even more critical that the last line of defense to a breach, the identity first security layer, be as fortified as possible. Identity observability provides a 360 degree view and active management of identity data attack vectors when proactively deployed and maintained. As attackers continue to innovate, but without the ability to compromise account access their impact is severely blunted.”
This underscores the need to “patch all the things” the moment that patches for something become available as threat actors will simply do what’s illustrated here. Which isn’t good if you haven’t patched all your gear.
Share this:
Like this:
Related
This entry was posted on May 21, 2025 at 1:49 pm and is filed under Commentary with tags Ivanti. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.