Hackers have been exploiting vulnerabilities in the product Ivanti Endpoint Manager Mobile (EPM), specifically CVE-2025-4427 and CVE-2025-4428, with attacks now impacting both local installations and customers’ cloud environments. Wiz has reported that these vulnerabilities have been actively exploited since May 16.
The CVE-2025-4427 vulnerability allows for authentication bypass, while CVE-2025-4428 provides the ability for remote code execution. When combined, these vulnerabilities enable attackers to run malicious software on a vulnerable Ivanti EPMM and gain full control over it. Both vulnerabilities pertain to software designed to manage corporate devices, applications, and secure access to internal resources.
According to Wiz, attackers have already used these vulnerabilities to install the Sliver remote access tool in victims’ cloud environments. Sliver is commonly used by various threat actor groups, including state-sponsored entities and espionage operators, to establish access in compromised systems, launch further attacks, steal sensitive data, and deploy spy modules.
Both vulnerabilities were patched by Ivanti last week. The company stated that these vulnerabilities were only exploited in a limited number of on-premise installations and did not affect its cloud products. The vulnerabilities were related to insecure Java Expression Language and Spring, which served as the technical basis for the exploits.
The CVE-2025-4428 vulnerability is related to improper handling of user input in error messages via the ABSTRACTMESSAGESOURCE component in Spring, allowing for code injection through Expression Language (EL) expressions. CVE-2025-4427 stems from the absence of authentication rules for specific routes, enabling unauthorized users to access vulnerable components and execute remote code, often in conjunction with CVE-2025-4428.
During the attacks using Sliver, experts observed the use of the IP address 77.221.157.154, which was previously associated with attacks targeting vulnerabilities in Pan-OS in late 2024. The TLS certificate issued by this IP has remained unchanged since November 2024, suggesting continuity in the attacker’s operations.
While each vulnerability may not individually be considered critical based on CVSS scores of 5.3 and 7.2, when combined, they allow for complete system compromise. Urgent installation of the provided patches is advised by security experts.