It has been revealed that Chinese hackers have been exploiting a remote code execution flaw in Ivanti Endpoint Manager Mobile (EPMM) to breach high-profile organizations worldwide. The vulnerabilities, tracked as CVE-2025-4427 and CVE-2025-4428, can allow an unauthenticated attacker to achieve remote code execution. Ivanti is urging customers to immediately upgrade to a fixed version of the software.
Looking into the hacker threat for Digital Journal is Randolph Barr, CISO at Cequence.
Barr sees the current threat as demonstrating a weakness with many IT systems: “This campaign highlights a critical reality in modern cybersecurity: trust is not just assumed, it must be actively maintained between organizations and their vendors. In the case of Ivanti Endpoint Manager Mobile (EPMM), this trust is especially important given the platform’s deep integration into mobile device ecosystems and its ability to issue configurations and updates at scale.”
However, there is something specific about the threat, which Barr highlights: “What’s even more concerning is the continued presence of CVE-2023-35078, a critical vulnerability disclosed and patched nearly two years ago, that remains exploitable in some environments. This situation speaks to a larger issue across the industry: many organizations struggle to meet internal SLAs or commonly accepted timeframes for vulnerability remediation, particularly for high-risk flaws. In this case, the remediation window far exceeded industry norms, which significantly increased exposure.”
Building a solid security infrastructure requires a partnership approach, which Barr draws out: “From a shared responsibility standpoint, both Ivanti and its customers have a role to play. Vendors must take ownership of secure development practices, including: comparing security implications across product versions; running internal testing and static/dynamic code analysis; and leveraging third-party penetration testing to uncover latent risks.”
Compromise of a server has serious downstream effects
Building robust security defences is not easy, as Barr observes: “While it’s understood that zero-day detection is challenging and some issues will only surface after real-world exposure, known vulnerabilities, especially those with public exploits, must be prioritized and remediated swiftly. This responsibility includes not just patch issuance by the vendor but also timely application by customers as part of their vulnerability management processes.”
There are also caveats to observe: “It’s important for users and stakeholders to understand that these vulnerabilities impact the Ivanti EPMM server, not the mobile devices themselves. Exploitation of the server does not provide direct access to user content such as messages, photos, or files on mobile devices; nor does it provide immediate remote control or execution capabilities on the devices, unless the trust relationship between EPMM and the endpoint is abused.”
However, Barr notes: “because EPMM acts as a Mobile Device Management (MDM) platform, compromise of its server can still have serious downstream effects: malicious commands or profiles can be pushed to enrolled devices; unauthorized apps or updates can be deployed, depending on MDM policy enforcement; and sensitive device metadata, including user associations, inventory, and system configurations, can be accessed and exfiltrated.”
Organizations should reevaluate
Rounding up his comments, Barr finds: “This campaign should serve as a wake-up call for any organization managing mobile infrastructure at scale. Time-to-remediate (TTR) has become a critical risk metric, and any delay in patching high-severity vulnerabilities, especially ones already known and exploited, can open the door for sophisticated threat actors.”
This extends to a recommendation: “Organizations should reevaluate: their patch management and remediation workflows, the degree of automation and trust configured in MDM tools; and the vendor expectations they’ve set around secure coding and proactive disclosure. Trust in software vendors must be continually validated, not just through promises of security, but through transparent, timely, and accountable practices on both sides.”
