Questions mount as Ivanti tackles another round of zero-days
Multiple attackers are raiding Ivanti customers’ systems again by exploiting a pair of closely intertwined vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) to achieve unauthenticated remote code execution.
The software defects — CVE-2025-4427 and CVE-2025-4428 — were exploited as zero-days before Ivanti disclosed and patched the flaws. “We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” Ivanti said in a May 13 security advisory.
Attacks have proliferated since then, following a typical pattern where nation-state threat groups hit exploits hard and fast, leaving windows open for cybercriminals to follow soon after in their wake.
Security researchers at EclectiqIQ attributed almost 20 attacks targeting internet-facing Ivanti EPMM deployments to UNC5221, a China-linked espionage group that has repeatedly attacked Ivanti customers since 2023. The threat group’s latest attack spree marks the fourth time it has exploited zero-days in Ivanti products in less than three years.
Victims span critical sectors in Europe, North America and the Asia-Pacific region, including a “cybersecurity firm specializing in mobile threat defense and enterprise defense security,” Arda Büyükkaya, threat intelligence analyst at EclectiqIQ, said in a blog post published May 21.
UNC5221 also stole data from the “largest German telecommunications provider,” U.K.-based health care organizations, an Ireland-based aerospace leasing company, a national health care and pharmaceutical provider in North America, a U.S.-based firearms manufacturer, and a transportation organization that manages airport systems in Houston, according to EclectiqIQ.
GreyNoise, which first warned about a nine-fold surge in scanning activity targeting other Ivanti products on April 23, has observed a steady increase in unique IPs attempting to exploit the pair of vulnerabilities in Ivanti EPMM during the past week. GreyNoise has observed 16 unique malicious IPs since it started scanning for exploit attempts May 16, including 10 since Tuesday.
Ivanti customers consistently targeted
Ivanti’s security products and services are used by many high-value targets, including government agencies and critical infrastructure providers. The company’s far-reaching footprint puts the vendor’s customers in the cross-hairs of cybercriminals and nation-state attackers.
Network edge devices — firewalls, VPNs and routers — are a frequent and recurring target for attackers, but the challenges faced by Ivanti and its customers since 2024 are pronounced and occur more often than any other vendor in that sector.
Data confirms that Ivanti is a repeat offender, shipping software with a high number of vulnerabilities across at least 10 different product lines since 2021.
The Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog contains 30 Ivanti defects in the past four years, with eight of those known to be used in ransomware campaigns. Attackers have exploited seven vulnerabilities in Ivanti products so far this year, according to cyber authorities.
Despite Ivanti’s security travails, the company has engendered broad understanding from analysts, incident response specialists and researchers who defend or empathize with Ivanti’s recurring status as a security vendor under attack.
“It’s definitely true that there has been a pattern of Ivanti products being targeted, but I’m not sure that that’s necessarily a reflection of their security posture, as it is that they’re just getting absolutely hammered by individuals that are trying to break into these incredibly desired organizations,” Ryan Emmons, staff security researcher at Rapid7, told CyberScoop.
Root cause of latest CVEs questioned
Ivanti took a different tack in assigning blame for the root cause of CVE-2025-4427 and CVE-2025-4428, asserting that the vulnerabilities are associated with two unnamed open-source libraries integrated into Ivanti EPMM.
“Ivanti has released a fix for vulnerabilities associated with open-source libraries used in our on-premise Endpoint Manager Mobile products,” a spokesperson for Ivanti told CyberScoop in a prepared statement.
“We are actively working with our security partners and the maintainers of the libraries to determine if a CVE against the libraries is warranted,” the spokesperson added. “We remain committed to collaboration and transparency with our stakeholders and the broader security ecosystem.”
Yet, by applying its own CVEs to the vulnerabilities and patching the flaws internally, Ivanti is at least claiming some level of responsibility for its role and ownership of the defects under active exploitation in the wild, threat researchers said.
When vulnerabilities are discovered in open-source libraries, CVEs are typically assigned to the vulnerability in the library itself, Emmons said.
Oftentimes, there’s some ambiguity around whether the vulnerability ultimately lies with a vendor’s software, a third-party library, or the vendor’s implementation of open-source software. Ivanti maintains the vulnerabilities are entirely linked to unspecified security issues in open-source libraries.
“Ivanti is engaged in ongoing discussions with the maintainers regarding CVEs against these libraries,” the company spokesperson said.
Ben Harris, CEO at watchTowr, said he and his colleagues were confused and surprised by how Ivanti framed the vulnerabilities, calling the company’s explanation “borderline disingenuous.”
Researchers at watchTowr reproduced CVE-2025-4427 and CVE-2025-4428 and took issue with both how Ivanti classified the vulnerabilities and described the root cause.
”The root cause of the vulnerability is misuse of a software library,” Harris said. “They know that it’s not a zero-day in a library that they’re using, but it is down to their code using said library incorrectly, which has introduced this weakness.”
The steps required to exploit the pair of vulnerabilities are also relatively easy and not a complicated chain, researchers said.
“These were framed as a two-bug chain, when in reality it’s very much a single request, point and shoot,” Emmons said. “There’s not that much of a multi-stage to it. It’s more so about the root cause.”
The vulnerability that Ivanti describes as an authentication bypass defect, CVE-2025-4427, allows attackers to access a web API endpoint without authentication because access controls aren’t enforced for that API endpoint in Ivanti’s code, researchers told CyberScoop.
“Based on what we saw in the code, there’s no bypass. It just isn’t there,” Harris said, adding that CVE-2025-4427 would more properly be described as an incorrect order of operations vulnerability.
Rapid7 and watchTowr determined that access obtained via CVE-2025-4427 with a single request to the web server allows attackers to initiate unauthenticated remote code execution via CVE-2025-4428 with no additional steps.
“We’re looking at different versions of reality,” Harris said. “It’s hard to look at it as anything else than self-inflicted damage.”
