Overview
Ivanti disclosed two high-risk vulnerabilities in its Endpoint Manager Mobile (EPMM) platform: CVE-2025-4427 and CVE-2025-4428. When combined, these flaws allow unauthenticated attackers to execute remote code. The vulnerabilities, reported by CERT-EU, affect multiple on-premises versions of EPMM. Soon after the disclosure, researchers confirmed that a China-linked espionage group known as UNC5221 had been actively exploiting the flaws in targeted attacks. The campaign began around May 15 and has impacted organizations across North America, Europe, and the Asia-Pacific region, including sectors such as government, healthcare, and telecommunications.
The attack starts with an authentication bypass that grants unauthorized access to Ivanti’s mobile device management interface. Attackers then exploit the second vulnerability to run arbitrary code and take control of the system. Ivanti has released patches, but unpatched systems remain vulnerable. Security researchers have observed the use of advanced tools such as Sliver, a post-exploitation framework often associated with nation-state actors. These tools enable persistent access, lateral movement, and data theft, highlighting the sophistication of the campaign.
Why it matters:
This incident underscores the growing threat posed by state-sponsored actors targeting enterprise infrastructure. While Ivanti confirmed exploitation in on-premises environments, researchers at Wiz also observed active attacks in self-managed cloud deployments, suggesting a broader campaign. Compromising a mobile device management platform is especially dangerous because it could allow attackers to push malicious apps or settings to thousands of employee devices. Although neither vulnerability is rated critical on its own, their combined effect is severe and should be treated with urgency. Applying patches, segmenting networks, and monitoring for suspicious activity are essential steps to reduce risk and protect sensitive data.