A new wave of cyberattacks has struck organizations using Ivanti Endpoint Manager Mobile (EPMM), as threat actors rapidly exploit two recently disclosed vulnerabilities, CVE-2025-4427 and CVE-2025-4428. These incidents come at a time of heightened global concern about the security of network management software, with hackers seeking to breach high-value targets across multiple sectors. The attacks, attributed in part to the UNC5221 espionage group with links to China, highlight persistent risks for critical infrastructure operators and enterprise security providers. Security teams now face increased scrutiny over the effectiveness of patching and disclosure strategies in light of the recurring exploitation of Ivanti products. Recent discussions among cybersecurity professionals also reflect a broader debate about responsibility when vulnerabilities originate in third-party components.
Public records and previous analyses have repeatedly noted Ivanti’s exposure to vulnerabilities, with several high-profile exploits in the last three years. Past attack campaigns often focused on the company’s Connect Secure products, but recent activity intensifies concerns as attackers shift focus to EPMM. Notably, security advisories in early 2024 and recurring inclusion of Ivanti vulnerabilities in national cyber risk catalogs have cemented the company’s status as a frequent target. Earlier reports differ in technical detail but reinforce common trends—escalating exploit attempts after disclosures, significant targeting by well-resourced adversaries, and industry criticisms about patching timelines and root cause transparency.
What Do the CVE-2025-4427 and CVE-2025-4428 Flaws Enable?
The two vulnerabilities affect Ivanti EPMM software by allowing remote code execution without authentication. Security researchers determined attackers can exploit these issues with minimal complexity, making them appealing for both state-sponsored groups and criminal enterprises. Initial exploitation occurred before Ivanti published disclosures or patches, characteristic of zero-day vulnerabilities. According to threat monitoring group GreyNoise, exploit attempts have increased significantly, with over a dozen distinct malicious sources identified in a short span.
How Have Attackers Used These Vulnerabilities Against Key Sectors?
Multiple organizations, including telecommunication providers, health care firms, aerospace companies, and transportation authorities, have been compromised through these vulnerabilities. The cyber unit UNC5221 has been identified in at least twenty attack attempts targeting internet-exposed EPMM instances, marking a continuation of their interest in Ivanti’s platforms since 2023. “Victim organizations span critical sectors in Europe, North America and the Asia-Pacific region,” said Arda Büyükkaya, a threat intelligence analyst who has tracked exploitation since the flaws first appeared.
Why Is the Root Cause and Vendor Responsibility Under Debate?
Uncertainty surrounds the source of these vulnerabilities, with Ivanti attributing them to third-party open-source libraries integrated into its software. The company’s official statements emphasize ongoing collaboration with these library maintainers to assess further disclosure or CVE assignment. Yet, independent researchers contest this interpretation, arguing the flaws stem from Ivanti’s implementation rather than inherent defects in the libraries.
“They know that it’s not a zero-day in a library that they’re using, but it is down to their code using said library incorrectly, which has introduced this weakness,”
explained Ben Harris, CEO at watchTowr, who expressed skepticism about Ivanti’s framing of the root cause. This divergence underscores challenges in attributing responsibility and securing complex software supply chains.
Recurring headlines about Ivanti’s vulnerabilities, especially on network edge devices like firewalls and VPNs, reflect risks facing enterprises dependent on third-party security vendors. Cybersecurity authorities documented at least thirty exploited Ivanti defects in recent years, highlighting repeated exploitation in ransomware campaigns and state-backed intrusions. While some observers point to the company’s prominence among high-value targets as a reason for frequent attacks, others point to persistent software quality and patch management issues. Ivanti’s approach, involving both acknowledgment and attribution to external components, illustrates the complexities faced by vendors whose products depend on the broader open-source ecosystem.
Understanding these recurring incidents equips organizations to better prioritize risk analysis when deploying products such as Ivanti EPMM. The combination of unauthenticated access and remote code execution magnifies the need for robust patching processes and timely threat intelligence. For enterprises, vendor communication and independent vulnerability research both play critical roles in managing software risk. Organizations should further scrutinize not only initial vulnerability disclosures but also the depth and clarity of vendor explanations, as misattribution can prolong remediation cycles and obscure defensive priorities. Ultimately, a combination of continuous monitoring, aggressive patching, and clear accountability across both vendor and open-source contributors will help manage exposure to similar threats in the future.
