What is the Vulnerability?On May 15, 2025, Ivanti disclosed two critical vulnerabilities, CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier. When chained together, these vulnerabilities can allow unauthenticated remote code execution (RCE) on vulnerable systems.According to a report by EclecticIQ, attackers are actively exploiting the Ivanti EPMM vulnerability (CVE-2025-4428) in the wild. EclecticIQ attributes this activity with high confidence to UNC5221, a China-nexus espionage group. China-Nexus Threat Actor Actively Exploiting Ivanti Endpoint Manager Mobile (CVE-2025-4428) VulnerabilityWhat is the recommended Mitigation?Ivanti has released updates for Endpoint Manager Mobile (EPMM). Customers should install one of the fixed versions 11.12.0.5, 12.3.0.2, 12.4.0.2 or 12.5.0.1. Security Advisory Ivanti Endpoint Manager Mobile (EPMM) May 2025 (CVE-2025-4427 and CVE-2025-4428)What FortiGuard coverage is available?Intrusion Prevention System (IPS): An IPS signature is available to detect and block exploit attempts targeting CVE-2025-4428. Intrusion Prevention | FortiGuard LabsAntimalware and Sandbox Service: Delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats.Indicators of Compromise (IOC) Service: FortiGuard Labs has blocked all the known Indicators of Compromise (IOCs) linked to the campaigns targeting the Ivanti EPMM Zero Day vulnerabilities.Incident Response Service: The FortiGuard Incident Response team is available to assist with any suspected compromise.
