Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Ivanti Endpoint Manager Mobile (EPMM) zero-day authentication bypass and RCE flaws (multiple vulnerabilities)

Vulnerability
First reported
Last updated
Happening score
H score 52
2 unique sources, 2 articles

Summary

Hide ▲

CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM) were chained as zero-days, combining authentication bypass and code injection to enable arbitrary code execution on affected systems. Ivanti patched the flaws on May 13, 2025, but attacks had already targeted a very limited number of customers and later activity was observed around May 15. CISA subsequently published a technical analysis of the malware used in these attacks, including loaders and listeners delivered to the /mifs/rs/api/v2/ endpoint via HTTP GET requests and Base64-encoded chunks. The activity enabled reconnaissance, LDAP credential theft, persistence, and follow-on code execution on vulnerable EPMM servers.

Related Happenings

CISA emergency patch deadline for Ivanti EPMM

Public Sector Action
First: 08.05.2026 15:16 Last: 08.05.2026 15:16 Sources 1

About this happening: CISA ordered **U.S. federal agencies** to patch **Ivanti EPMM** by **midnight Sunday, May 10** after adding **CVE-2026-6973** to its list of vulnerabilities exploited in attacks....

Open Happening

CISA KEV order for Copy Fail on federal Linux devices

Public Sector Action
First: 08.05.2026 10:45 Last: 08.05.2026 10:45 Sources 1

About this happening: **CISA** added **Copy Fail** to the **Known Exploited Vulnerabilities (KEV) Catalog**, making the Linux flaw a federal remediation priority. The agency ordered **federal agencies*...

Open Happening

CISA KEV listing and FCEB patch order for Ivanti EPMM

Public Sector Action
First: 08.04.2026 21:15 Last: 08.04.2026 21:15 Sources 1

About this happening: **CISA** added **CVE-2026-1340** to the **KEV Catalog** and ordered **FCEB agencies** to patch **Ivanti Endpoint Manager Mobile (EPMM)** by **Saturday midnight, April 11**, forcin...

Open Happening

F5 BIG-IP APM active exploitation wave (CVE-2025-53521)

Exploitation Wave
First: 02.04.2026 11:25 Last: 02.04.2026 11:25 Sources 1

About this happening: As of **2026-04-02**, ongoing attacks are exploiting **CVE-2025-53521** against **F5 BIG-IP APM** systems, leaving more than **14,000** exposed online and at risk of remote code e...

Open Happening

BRICKSTORM backdoor activity and GRIMBOLT replacement on appliances

Malware Activity
First: 18.02.2026 12:32 Last: 18.02.2026 12:32 Sources 1

About this happening: **BRICKSTORM** is a **Golang backdoor** used by **PRC state-sponsored actors** to keep **long-term persistence** on **VMware vSphere**, **Windows**, and appliance environments. **...

Open Happening

Timeline

  1. 19.09.2025 07:10 1 articles · 8mo ago

    Chained exploitation of Ivanti EPMM flaws

    Exploitation Observed

    Threat actors chained CVE-2025-4427 and CVE-2025-4428 against an affected organization's Ivanti Endpoint Manager Mobile (EPMM) server around May 15, 2025, after a proof-of-concept exploit appeared, gaining access that enabled command execution, system information collection, network mapping, heapdump creation, and LDAP credential dumping.

    Show sources
    Open in new tab
  2. 19.09.2025 07:10 3 articles · 8mo ago

    CISA discloses EPMM malware sets

    Initial Disclosure

    CISA released details of two malware sets found in an unnamed organization's network after Ivanti Endpoint Manager Mobile (EPMM) exploitation, describing loaders and malicious listeners such as web-install.jar, ReflectUtil.class, SecurityHandlerWanListener.class, and WebAndroidAppInstaller.class that enabled arbitrary code execution and persistence on the compromised server.

    Show sources
    Open in new tab