Ivanti: Gaps in EPMM attacked, critical leak in Neurons discovered
Attackers are abusing vulnerabilities in Ivantis Endpoint Manager Mobile. A critical vulnerability was also discovered in Neurons for ITSM.
(Image: Gorodenkoff/Shutterstock.com)
Ivanti has issued two security bulletins. In it, the manufacturer warns of ongoing attacks on vulnerabilities in Ivanti's Endpoint Manager Mobile (EPMM) and plugs a security leak in Ivanti Neurons for ITSM. IT managers should apply the available updates immediately.
In the security notification for Ivantis Endpoint Manager Mobile, the developers inform about two security vulnerabilities. The more serious vulnerability allows the injection of malicious code (CWE-94, Improper Control of Generation of Code). Ivanti does not provide any details, but merely writes that attackers from the network can execute malicious code on the target system (CVE-2025-4428 / EUVD-2025-14387, CVSS 7.2, risk"high").
Vulnerabilities in Ivanti EPMM already attacked
According to Ivanti's description, the second vulnerability allows bypassing authentication and thus unauthorized access to actually protected resources (CVE-2025-4427 / EUVD-2025-14388, CVSS 5.3, risk"medium"). "If the vulnerabilities are linked, successful misuse can lead to the execution of malicious code without prior authentication," writes Ivanti. The company is therefore aware of a limited number of customers whose installations were successfully attacked at the time of reporting.
Ivanti is providing updated software versions for several branches of Ivanti Endpoint Manager Mobile: 12.5.0.1, 12.4.0.2, 12.3.0.2 and 11.12.0.5. They are available in Ivanti's download portal.
Videos by heise
Ivanti also warns of a critical security vulnerability in Ivanti Neurons for ITSM that affects on-premises installations. Depending on the configuration, it allows attackers to gain administrative access to the system. This is a possible authentication bypass that impacts Ivanti EPMM 2024.3, 2024.2 and 2023.4. The May 2025 security patch fixes the leak (CVE-2025-22462 / EUVD-2025-14498, CVSS 9.8, risk"critical").
At the beginning of April, Ivanti misjudged a security vulnerability in the VPN software Connect Secure. What the developers initially classified as merely a bug turned out to be a veritable security leak, which criminals then even attacked online.
(dmk)
