Two newly identified Ivanti Endpoint Manager Mobile (EPMM) security flaws, are under active exploitation by a sophisticated hacking group believed to be operating from China. The vulnerabilities, when used together, enable attackers to bypass authentication and remotely execute malicious code, potentially giving them full control of targeted systems.
The Vulnerabilities Explained
Security experts have flagged two critical issues in Ivanti’s EPMM platform:
- CVE-2025-4427 allows attackers to sidestep authentication measures, gaining access to protected resources without valid credentials.
- CVE-2025-4428 enables remote code execution, letting malicious actors run commands on compromised systems.
While each flaw is serious on its own, when combined, they create a direct path for unauthenticated users to fully compromise enterprise systems. These vulnerabilities affect versions up to 12.5.0.0 of EPMM.
Who’s Behind the Attacks?
Cybersecurity investigators have linked the exploitation to UNC5221, a well-organized threat actor with ties to China. The group is targeting a wide range of sectors, including:
- Public sector organizations
- Healthcare institutions
- Aviation and telecom companies
- Financial firms
- Municipal governments
UNC5221 has shown deep technical understanding of the EPMM system, repurposing built-in components to move within networks undetected and extract sensitive data.
Vendor and Government Response
In response, Ivanti has issued urgent patches and is urging all users to update their software immediately to block the vulnerabilities. Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA) has added both CVEs to its Known Exploited Vulnerabilities catalog, signaling that these bugs are being used in real-world attacks.
The inclusion in CISA’s list means that U.S. federal agencies, and companies in highly regulated industries, are expected to act fast to neutralize the threat.
Why This Matters
Ivanti’s EPMM solution is widely used by enterprises to secure mobile devices and ensure safe remote access. Security flaws and a successful breach through this platform could allow attackers to:
- Access sensitive business or customer data
- Disrupt mobile device operations
- Deploy ransomware or spyware
- Spread further across corporate networks
The fact that these attacks are already underway makes this more than just a theoretical risk—it’s a live threat with global implications.
What Organizations Should Do Now
To reduce the risk of being compromised, organizations should take these steps immediately:
Update Your Ivanti EPMM
Apply the latest patches released by Ivanti without delay.
Review Security Logs
Check for signs of unusual behavior, such as failed login attempts or strange outbound connections.
Limit Admin Access
Make sure only essential personnel have admin-level privileges, especially for mobile device management tools.
Monitor for New Indicators of Compromise (IOCs)
Stay connected to threat intelligence feeds to spot emerging signs of attack.
Evaluate Exposure
If your EPMM system is exposed to the public internet, take steps to isolate or shield it behind a VPN or firewall.
Final Thoughts
This active exploitation of Ivanti EPMM security flaws highlights just how valuable IT management tools have become to threat actors, especially those backed by nation-states. Tools that manage mobile access are often overlooked from a security perspective, but this incident shows just how damaging a breach can be.
Organizations that rely on Ivanti’s mobile management platform must treat this as a critical risk. Delaying action could leave networks wide open to highly skilled adversaries already leveraging these vulnerabilities for targeted, data-driven attacks.
