The vulnerabilities CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM) were exploited by a Chinese cyber espionage group. The attackers achieved remote code execution on internet-exposed Ivanti EPMM deployments, set up a reverse shell, deployed malware, and extracted data including IMEI, phone numbers, location, LDAP users, and Office 365 tokens. The attack affected various entities globally, including government authorities, healthcare organizations, research institutes, legal firms, telcos, manufacturers, aerospace companies, healthcare providers, and more.
TPRM report: https://scoringcyber.rankiteo.com/company/ivanti
"id": "iva357052325",
"linkid": "ivanti",
"type": "Vulnerability",
"date": "5/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Public Sector',
'location': 'UK',
'name': 'Local government authority',
'type': 'Government'},
{'industry': 'Healthcare',
'location': 'UK',
'name': 'Healthcare organizations',
'type': 'Healthcare'},
{'industry': 'Research',
'location': 'Germany',
'name': 'Research institute',
'type': 'Research'},
{'industry': 'Legal',
'location': 'Germany',
'name': 'Legal firm',
'type': 'Legal'},
{'industry': 'Telecommunications',
'location': 'Germany',
'name': 'Telco',
'type': 'Telecommunications'},
{'industry': 'Manufacturing',
'location': 'Germany',
'name': 'Manufacturer',
'type': 'Manufacturing'},
{'industry': 'Aerospace',
'location': 'Ireland',
'name': 'Aerospace leasing company',
'type': 'Aerospace'},
{'industry': 'Healthcare',
'location': 'US',
'name': 'Healthcare provider',
'type': 'Healthcare'},
{'industry': 'Medical Devices',
'location': 'US',
'name': 'Medical device manufacturer',
'type': 'Manufacturing'},
{'industry': 'Firearms',
'location': 'US',
'name': 'Firearms manufacturer',
'type': 'Manufacturing'},
{'industry': 'Cybersecurity',
'location': 'US',
'name': 'Cybersecurity firm',
'type': 'Cybersecurity'},
{'industry': 'Banking',
'location': 'South Korea',
'name': 'Multinational bank',
'type': 'Banking'},
{'industry': 'Automotive',
'location': 'Japan',
'name': 'Automotive parts supplier',
'type': 'Manufacturing'}],
'attack_vector': 'Exploitation of zero-day vulnerabilities',
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'type_of_data_compromised': ['IMEI',
'phone numbers',
'location',
'LDAP users',
'Office 365 refresh and access '
'tokens']},
'date_detected': '2025',
'description': 'CVE-2025-4427 and CVE-2025-4428, two Ivanti Endpoint Manager '
'Mobile (EPMM) vulnerabilities, have been exploited in the '
'wild as zero-days and patched by Ivanti. These '
'vulnerabilities were leveraged by a Chinese cyber espionage '
'group targeting various entities globally. The attackers '
'achieved remote code execution on internet-exposed Ivanti '
'EPMM deployments, set up a reverse shell, deployed malware, '
'and extracted data from the EPMM databases.',
'impact': {'data_compromised': ['IMEI',
'phone numbers',
'location',
'LDAP users',
'Office 365 refresh and access tokens'],
'systems_affected': ['Ivanti EPMM deployments',
'Managed mobile devices']},
'initial_access_broker': {'backdoors_established': ['Reverse shell',
'Sliver backdoor/implant'],
'entry_point': 'Internet-exposed Ivanti EPMM '
'deployments'},
'motivation': 'Espionage and Data Exfiltration',
'post_incident_analysis': {'corrective_actions': 'Upgrade Ivanti EPMM '
'instances to fixed '
'versions: 11.12.0.5, '
'12.3.0.2, 12.4.0.2, or '
'12.5.0.1',
'root_causes': 'Exploitation of zero-day '
'vulnerabilities in Ivanti EPMM'},
'references': [{'source': 'EclecticIQ'},
{'source': 'Wiz'},
{'source': 'Help Net Security'}],
'response': {'remediation_measures': 'Upgrade Ivanti EPMM instances to fixed '
'versions: 11.12.0.5, 12.3.0.2, '
'12.4.0.2, or 12.5.0.1'},
'threat_actor': 'UNC5221',
'title': 'Exploitation of Ivanti EPMM Zero-Day Vulnerabilities by Chinese '
'Cyber Espionage Group',
'type': 'Cyber Espionage',
'vulnerability_exploited': ['CVE-2025-4427', 'CVE-2025-4428']}