CVE-2025-4427

CVSS v3.1

7.5

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Ivanti Endpoint Manager Mobile (EPMM) versions 12.5.0.0 and prior

Description An authentication bypass exists in the API component of Ivanti Endpoint Manager Mobile. This allows attackers to access protected resources without proper credentials via the API. This issue is actively exploited, with reports of attackers using it to install malicious software, including Linux cryptominers, and to gain full control of servers. Chinese-linked threat actors (UNC5221) have been observed exploiting this flaw, targeting organizations in the healthcare, government, and finance sectors. The exploitation involves the use of modified variants of the flaw and the deployment of malware such as KrustyLoader and Sliver. The vulnerability enables unauthenticated remote code execution.

Recommendations Apply the latest security updates for Ivanti Endpoint Manager Mobile versions 12.5.0.0 and prior.

Fix

RCE

Code Injection

Authentication Bypass Using an Alternate Path or Channel

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-288

Related Identifiers

BDU:2025-05712

CVE-2025-4427

GHSA-7V6M-28JR-RG84

RHSA-2025:10924

RHSA-2025:10925

RHSA-2025:10926

Affected Products

Ivanti Endpoint Manager Mobile

CVE-2025-4427

Weakness Enumeration

Related Identifiers

Affected Products

References · 230