Ivanti on Tuesday announced patches for three vulnerabilities in its products, including two Endpoint Manager Mobile (EPMM) bugs that have been chained in the wild.
The exploited zero-day flaws, tracked as CVE-2025-4427 (CVSS score of 5.3) and CVE-2025-4428 (CVSS score of 7.2), are described as an authentication bypass issue and a remote code execution (RCE) defect impacting two open source libraries integrated into EPMM. They enable a remote, unauthenticated attacker to execute arbitrary code.
The company says it is working with the maintainers of the affected libraries to assess the impact on the open source dependencies and whether additional CVEs should be assigned.
“We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” Ivanti notes in its advisory.
The risk of compromise, the company says, is significantly reduced if access to the API is filtered using ACLs functionality in the portal or an external WAF.
Patches for the zero-days have been included in EPMM versions 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1. All users of Ivanti’s on-prem EPMM product are urged to promptly install the patch.
“We have made additional resources and support teams available to assist customers in implementing the patch and addressing any concerns. Detailed information is available in our Security Advisory so that customers can protect their environment,” Ivanti said.
Additionally, the company released fixes for three bugs in Neurons for ITSM, Cloud Security Application (CSA), and Ivanti Neurons for MDM (N-MDM). None of these appears to be exploited in attacks, the company says.
The fix for Neurons for ITSM (on-premise only) resolves CVE-2025-22462 (CVSS score of 9.8), a critical-severity authentication bypass flaw that could allow a remote attacker to obtain administrative privileges.
Ivanti also patched CVE-2025-22460, a high-severity default credentials issue in CSA that could allow a local attacker to elevate their privileges, and a medium-severity improper authorization defect in N-MDM (with no CVE identifier assigned) that could allow remote, unauthenticated attackers to tamper with resources.
Related: Vulnerabilities Patched by Ivanti, VMware, Zoom
Related: Exploited Vulnerability Puts 5,000 Ivanti VPN Appliances at Risk
Related: Chinese APT Pounces on Misdiagnosed RCE in Ivanti VPN Appliances
Related: CISA Analyzes Malware Used in Ivanti Zero-Day Attacks