The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis of the malware deployed in attacks exploiting vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM).

The flaws are an authentication bypass in EPMM’s API component (CVE-2025–4427) and a code injection vulnerability (CVE-2025–4428) that allows execution of arbitrary code.

The two vulnerabilities affect the following Ivanti EPMM development branches and their earlier releases: 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0.