Initiativen für
Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
Warning: Actively Exploited Zero-day Vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), Patch Immediately!
Image
Veröffentlicht : 13/05/2025
- Last update: 13/05/2025
- Affected software:
→ Ivanti Endpoint Manager Mobile (Ivanti EPMM) version 12.5.0.0 and prior- Type:
→ CWE-288: Authentication Bypass Using an Alternate Path or Channel
→ CWE-94: Improper Control of Generation of Code ('Code Injection')- CVE/CVSS:
→CVE-2025-4427: CVSS 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
→CVE-2025-4428: CVSS 7.2 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Sources
https://www.ivanti.com/blog/epmm-security-update
Risks
Ivanti has released updates for Endpoint Manager Mobile (EPMM) to address two actively exploited 0-day vulnerabilities — one medium-severity and one high-severity vulnerability. When both vulnerabilities are combined, successful exploitation leads to unauthenticated remote code execution.
Ivanti Endpoint Manager Mobile (Ivanti EPMM), formerly MobileIron Core, is a mobile device management (MDM) solution that helps organizations manage and secure their mobile devices, applications, and content. It enables IT administrators to manage the lifecycle of mobile devices and ensures secure access to corporate data and applications.
Ivanti has acknowledged active exploitation affecting a limited set of customers. Immediate patching is essential to mitigate the risk of exploitation.
Description
CVE-2025-4428 (7.2 High)
A remote code execution vulnerability in Ivanti Endpoint Manager Mobile is due to improper control of the generation of code ('Code Injection'), which allows attackers to execute arbitrary code on the target system.
CVE-2025-4427 (5.3 Medium)
An authentication bypass in Ivanti Endpoint Manager Mobile allows attackers to access protected resources without proper credentials.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Mitigation/Workaround
If immediate patching is not possible, Ivanti says customers can mitigate the threat by following best practice guidance to filter access to the API using either the built-in Portal ACLs functionality or an external WAF. You can find additional information on using the Portal ACLs functionality in Ivanti's documentation, which is listed in the references below.
- When reviewing or implementing additional API restrictions, please ensure you are using the "API Connection" type.
- Ivanti does NOT recommend using the "ACLs" functionality, as it blocks all access by network ranges, not just access to specific functionality.
- While this is an effective mitigation, it could impact the functionality of your solution depending on your specific configurations.
An RPM file can also be provided if customers need an alternative option.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
https://help.ivanti.com/mi/help/en_us/core/12.x/sys/CoreSystemManager/Access_Control_Lists__Po.htm