Ivanti on Tuesday introduced patches for 3 vulnerabilities in its merchandise, together with two Endpoint Supervisor Cell (EPMM) bugs which have been chained within the wild.
The exploited zero-day flaws, tracked as CVE-2025-4427 (CVSS rating of 5.3) and CVE-2025-4428 (CVSS rating of seven.2), are described as an authentication bypass subject and a distant code execution (RCE) defect impacting two open supply libraries built-in into EPMM. They allow a distant, unauthenticated attacker to execute arbitrary code.
The corporate says it’s working with the maintainers of the affected libraries to evaluate the influence on the open supply dependencies and whether or not extra CVEs needs to be assigned.
“We’re conscious of a really restricted variety of prospects whose answer has been exploited on the time of disclosure,” Ivanti notes in its advisory.
The danger of compromise, the corporate says, is considerably diminished if entry to the API is filtered utilizing ACLs performance within the portal or an exterior WAF.
Patches for the zero-days have been included in EPMM variations 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1. All customers of Ivanti’s on-prem EPMM product are urged to promptly set up the patch.
“We have now made extra sources and assist groups out there to help prospects in implementing the patch and addressing any issues. Detailed data is offered in our Safety Advisory in order that prospects can defend their atmosphere,” Ivanti mentioned.
Moreover, the corporate launched fixes for 3 bugs in Neurons for ITSM, Cloud Safety Utility (CSA), and Ivanti Neurons for MDM (N-MDM). None of those seems to be exploited in assaults, the corporate says.Commercial. Scroll to proceed studying.
The repair for Neurons for ITSM (on-premise solely) resolves CVE-2025-22462 (CVSS rating of 9.8), a critical-severity authentication bypass flaw that would enable a distant attacker to acquire administrative privileges.
Ivanti additionally patched CVE-2025-22460, a high-severity default credentials subject in CSA that would enable an area attacker to raise their privileges, and a medium-severity improper authorization defect in N-MDM (with no CVE identifier assigned) that would enable distant, unauthenticated attackers to tamper with sources.
Associated: Vulnerabilities Patched by Ivanti, VMware, Zoom
Associated: Exploited Vulnerability Places 5,000 Ivanti VPN Home equipment at Danger
Associated: Chinese language APT Pounces on Misdiagnosed RCE in Ivanti VPN Home equipment
Associated: CISA Analyzes Malware Utilized in Ivanti Zero-Day Assaults
