On May 13, 2025, Ivanti disclosed an exploited in the wild exploit chain, comprising of two new vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM): CVE-2025-4427 and CVE-2025-4428. Ivanti EPMM is an enterprise-focused software suite for IT teams to manage mobile devices, applications, and content.

CVE-2025-4427 is an authentication bypass vulnerability with a CVSS rating of 5.3 (Medium). CVE-2025-4428 is an authenticated remote code execution (RCE) vulnerability with a CVSS rating of 7.2 (High). By chaining the medium-severity authentication bypass (CVE-2025-4427), an unauthenticated attacker can reach a web API endpoint to inject server-side template patterns and exploit the high-severity vulnerability (CVE-2025-4428), thus achieving unauthenticated remote code execution. Therefore, while neither vulnerability has been rated as critical, when combined together, the impact of the exploit chain is critical, i.e. unauthenticate RCE.

The vulnerabilities were reported to the vendor by CERT-EU, the European Union’s Cybersecurity Service for the Union institutions, bodies, offices and agencies. The vendor has disclosed that this exploit chain has been exploited in the wild to a limited degree. Notably, this product was previously targeted by an unknown threat actor against the Norwegian Security and Service Organization (DSS) in 2023.

On May 15, 2025, a technical analysis and accompanying proof-of-concept exploit was published publicly. With public exploit code now available, the risk of broad exploitation in the wild has greatly increased.

On May 19, 2025, both CVE-2025-4427 and CVE-2025-4428 were added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV).

Mitigation guidance

The vendor has provided patches for affected versions of EPMM. Customers are advised to follow the vendor guidance, and remediate this vulnerability by upgrading to a fixed version on an emergency basis, without waiting for a regular patch cycle to occur.

The following list outlines the affected supported EPMM versions, and their respective fixes:

• Version 11.12.0.4 and prior is fixed in version 11.12.0.5
• Version 12.3.0.1 and prior is fixed in version 12.3.0.2
• Version 12.4.0.1 and prior is fixed in version 12.4.0.2
• Version 12.5.0.0 and prior is fixed in version 12.5.0.1

For the latest mitigation guidance, please refer to the vendor advisory.

Rapid7 customers

InsightVM and Nexpose customers can assess exposure to CVE-2025-4427 and CVE-2025-4428 with authenticated checks available in the May 16 content release.

Updates

May 16, 2025: Updated description of checks to clarify they will be authenticated.

May 19, 2025: Clarified InsightVM and Nexpose checks were shipped in the May 16 content release.

May 20, 2025: Added reference to the CISA KEV list.

On May 13, 2025, Fortinet disclosed CVE-2025-32756, an unauthenticated stack-based buffer overflow affecting multiple Fortinet products; including FortiVoice, FortiRecorder, FortiNDR, FortiMail, and FortiCamera. The vulnerability is rated as CVSS 9.6 (Critical), and allows an unauthenticated remote attacker to achieve remote code execution (RCE) against a vulnerable target.

Fortinet has disclosed that this vulnerability has been exploited in the wild by a threat actor who is targeting vulnerable FortiVoice appliances. No threat actor attribution has been made at this time. FortiVoice is an enterprise unified communication (UC) platform, providing communications services such as calling, conferencing, and chat. The Fortinet Product Security Team made this discovery based on observed threat activity. This threat activity included additional network scanning, credential logging, and log file wiping. Several IOCs have been published in the vendor advisory to assist customers in threat hunting.

CVE-2025-32756 was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV) on May 14, 2025.

Mitigation guidance

Fortinet have provided patches for affected versions under support, and guidance for unsupported versions to migrate to a fixed version. Customers are advised to follow the vendor guidance, and remediate this vulnerability by upgrading to a fixed version on an urgent basis, as outlined below.

• FortiVoice 7.2 should be upgraded to 7.2.1 or above
• FortiVoice 7.0 should be upgraded to 7.0.7 or above
• FortiVoice 6.4 should be upgraded to 6.4.11 or above
  
• FortiRecorder 7.2 should be upgraded to 7.2.4 or above
• FortiRecorder 7.0 should be upgraded to 7.0.6 or above
• FortiRecorder 6.4 should be upgraded to 6.4.6 or above
  
• FortiNDR 7.6 should be upgraded to 7.6.1 or above
• FortiNDR 7.4 should be upgraded to 7.4.8 or above
• FortiNDR 7.2 should be upgraded to 7.2.5 or above
• FortiNDR 7.1 should be migrated to a fixed release
• FortiNDR 7.0 should be upgraded to 7.0.7 or above
• FortiNDR 1.5 should be migrated to a fixed release
• FortiNDR 1.4 should be migrated to a fixed release
• FortiNDR 1.3 should be migrated to a fixed release
• FortiNDR 1.2 should be migrated to a fixed release
• FortiNDR 1.1 should be migrated to a fixed release
  
• FortiMail 7.6 should be upgraded to 7.6.3 or above
• FortiMail 7.4 should be upgraded to 7.4.5 or above
• FortiMail 7.2 should be upgraded to 7.2.8 or above
• FortiMail 7.0 should be upgraded to 7.0.9 or above
  
• FortiCamera 2.1 should be upgraded to 2.1.4 or above
• FortiCamera 2.0 should be migrated to a fixed release
• FortiCamera 1.1 should be migrated to a fixed release
  

For customers who may not be able to update to a fixed version, Fortinet has given guidance to disable the affected appliance's HTTP(S) administration interface. For the latest mitigation guidance, please refer to the vendor advisory.

Rapid7 customers

InsightVM and Nexpose customers can now assess their exposure to CVE-2025-32756 on FortiVoice with an unauthenticated check available in the May 14, 2025 content release (Nexpose Content 1.1.3561)

Updates

May 14, 2025: Updated to reflect InsightVM check was shipped on May 14, 2025. Added reference to the CISA KEV listing.

The following is a guest blog post by Zac Youtz, Co-Founder and CTO at valued Rapid7 partner, Furl. Here, Zac discusses how to effectively remediate vulnerabilities discovered by Rapid7’s InsightVM.

Scaling vulnerability remediation with AI

Vulnerability remediation is a crucial-yet-complex task for organizations striving to maintain a strong security posture. Security teams work tirelessly to identify and prioritize vulnerabilities, often based on severity. However, true remediation remains a challenge due to the involvement of multiple stakeholders, the limitations of traditional tools, and the lack of flexibility in addressing vulnerabilities effectively.

The complexity of multi-stakeholder remediation

While security teams are responsible for identifying and prioritizing risks, they may not always have full visibility into the broader business context or IT infrastructure. IT teams, on the other hand, must evaluate the potential business impact of each vulnerability and determine the most effective remediation strategy.

This decentralized approach often requires collaboration across multiple departments, including system administrators, application owners, and other technical teams. The result is a remediation process that can become fragmented, delayed, and hindered by misalignment in priorities and resource constraints.

The gap between tools and remediation needs

Traditional endpoint and patch management tools are not designed to fully address the nuances of vulnerability remediation. While they serve a critical role in maintaining system integrity and enforcing security policies, they often lack the adaptability required for addressing the evolving nature of security threats. Some of the key challenges include:

• Limited context awareness: Patches are applied without considering the broader business or technical impact, which can lead to system disruptions.
• Rigid approaches: A one-size-fits-all methodology fails to account for varying vulnerability severities and business risks, delaying critical fixes.
• Limited remediation flexibility: Most endpoint management and patching tools only manage software within their scope, leaving gaps for software installed outside IT control—resulting in unmanaged vulnerabilities that are often ignored or addressed through a growing list of exceptions.
• Limited remediation approaches: Patching isn’t always the only or best fix. Uninstalling unused or unnecessary software can eliminate risk entirely, but many tools lack the visibility to support this approach.
• Poor coordination: Limited alignment between security, IT, and application teams can slow down remediation efforts.
• Inflexible policies: Static policies struggle to adapt to the dynamic nature of emerging threats and evolving infrastructure.

To bridge these gaps, organizations need a more intelligent and context-aware approach that enhances traditional remediation tools rather than replacing them.

Enhancing InsightVM with AI-powered remediation

Rapid7's InsightVM is designed to help organizations manage and respond to potential threats quickly and effectively. Furl’s AI-powered platform can be an accelerator of efficient remediation of those threats by integrating with InsightVM. This partnership enables organizations to take immediate and automated action on vulnerabilities identified through Rapid7’s threat intelligence. Furl’s AI-driven remediation engine can:

• Automate fixes: Instantly apply the most effective remediation strategies tailored to the vulnerability type and business impact.
• Improve coordination: Bridge the gap between managed detection and response (MDR) findings and IT teams, ensuring vulnerabilities are addressed without unnecessary delays.
• Enhance contextual decision-making: Provide enriched insights that help prioritize and execute remediation steps in line with MDR recommendations.
• Streamline workflows: Reduce the burden on security teams by seamlessly integrating with existing security operations processes and toolsets.

Partnering for an efficient remediation strategy

To help organizations tackle these challenges, Rapid7 is partnering with innovative security solutions like Furl, a company dedicated to transforming the remediation process with AI-driven automation. Through this collaboration, Rapid7 InsightVM customers can benefit from automated, intelligent remediation workflows that accelerate response times and improve overall security outcomes.

By combining Rapid7’s industry-leading detection and response capabilities with Furl’s AI-powered remediation platform, organizations can move from identification to resolution faster—closing the loop on vulnerability management and ensuring threats are neutralized before they can cause harm.

To learn more about how AI and automation can enhance your security operations alongside Rapid7’s InsightVM, check out www.furl.ai for more information.