On May 13, 2025, Ivanti released patches addressing multiple vulnerabilities across its products. The most severe issues include an unauthenticated remote code execution exploit chain affecting Ivanti Endpoint Manager Mobile (EPMM) and a critical authentication bypass vulnerability in Ivanti Neurons for IT Service Management (ITSM).
- CVE-2025-4427 and CVE-2025-4428: These vulnerabilities affect EPMM and can be chained together to enable unauthenticated remote code execution. CVE-2025-4427 is an authentication bypass, and CVE-2025-4428 enables code execution. Ivanti has confirmed that threat actors have used this exploit chain in customer environments.
- CVE-2025-22462: A critical authentication bypass vulnerability in on-premises deployments of Ivanti Neurons for ITSM. A remote, unauthenticated threat actor can exploit this to gain administrative access to the system. Exploitation of this vulnerability has not been observed at this time.
While no publicly available proof-of-concept (PoC) exploit exists for these vulnerabilities, Ivanti products have been heavily targeted by threat actors in the past, as evidenced by multiple Ivanti vulnerabilities listed in CISA’s Known Exploited Vulnerabilities Catalog. One of the most impactful campaigns of 2024 leveraged two Ivanti vulnerabilities to compromise thousands of Ivanti Connect Secure VPN devices. Given this history, threat actors may attempt to further target these newly disclosed vulnerabilities in the near future.
Recommendation
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Vulnerability | Affected Version(s) | Fixed Version(s) |
| Ivanti Endpoint Manager Mobile | CVE-2025-4427 & CVE-2025-4428 |
|
|
| Ivanti Neurons for ITSM (on-prem only) | CVE-2025-22462 |
|
|
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
References
Resources
