CVE-2025-4427

Name of the Vulnerable Software and Affected Versions Ivanti Endpoint Manager Mobile (EPMM) versions 12.5.0.0 and prior

Description An authentication bypass exists in the API component of Ivanti Endpoint Manager Mobile. This allows attackers to access protected resources without proper credentials via the API. This issue is actively exploited, with reports of attackers using it to install malicious software, including Linux cryptominers, and to gain full control of servers. Chinese-linked threat actors (UNC5221) have been observed exploiting this flaw, targeting organizations in the healthcare, government, and finance sectors. The exploitation involves the use of modified variants of the flaw and the deployment of malware such as KrustyLoader and Sliver. The vulnerability enables unauthenticated remote code execution.

Recommendations Apply the latest security updates for Ivanti Endpoint Manager Mobile versions 12.5.0.0 and prior.