On May 13, 2025, Ivanti disclosed an exploited in the wild exploit chain, comprising of two new vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM): CVE-2025-4427 and CVE-2025-4428. Ivanti EPMM is an enterprise-focused software suite for IT teams to manage mobile devices, applications, and content.

CVE-2025-4427 is an authentication bypass vulnerability with a CVSS rating of 5.3 (Medium). CVE-2025-4428 is an authenticated remote code execution (RCE) vulnerability with a CVSS rating of 7.2 (High). By chaining the medium-severity authentication bypass (CVE-2025-4427), an unauthenticated attacker can reach a web API endpoint to inject server-side template patterns and exploit the high-severity vulnerability (CVE-2025-4428), thus achieving unauthenticated remote code execution. Therefore, while neither vulnerability has been rated as critical, when combined together, the impact of the exploit chain is critical, i.e. unauthenticate RCE.

The vulnerabilities were reported to the vendor by CERT-EU, the European Union’s Cybersecurity Service for the Union institutions, bodies, offices and agencies. The vendor has disclosed that this exploit chain has been exploited in the wild to a limited degree. Notably, this product was previously targeted by an unknown threat actor against the Norwegian Security and Service Organization (DSS) in 2023.

On May 15, 2025, a technical analysis and accompanying proof-of-concept exploit was published publicly. With public exploit code now available, the risk of broad exploitation in the wild has greatly increased.

On May 19, 2025, both CVE-2025-4427 and CVE-2025-4428 were added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV).

Mitigation guidance

The vendor has provided patches for affected versions of EPMM. Customers are advised to follow the vendor guidance, and remediate this vulnerability by upgrading to a fixed version on an emergency basis, without waiting for a regular patch cycle to occur.

The following list outlines the affected supported EPMM versions, and their respective fixes:

• Version 11.12.0.4 and prior is fixed in version 11.12.0.5
• Version 12.3.0.1 and prior is fixed in version 12.3.0.2
• Version 12.4.0.1 and prior is fixed in version 12.4.0.2
• Version 12.5.0.0 and prior is fixed in version 12.5.0.1

For the latest mitigation guidance, please refer to the vendor advisory.

Rapid7 customers

InsightVM and Nexpose customers can assess exposure to CVE-2025-4427 and CVE-2025-4428 with authenticated checks available in the May 16 content release.

Updates

May 16, 2025: Updated description of checks to clarify they will be authenticated.

May 19, 2025: Clarified InsightVM and Nexpose checks were shipped in the May 16 content release.

May 20, 2025: Added reference to the CISA KEV list.

On May 13, 2025, Fortinet disclosed CVE-2025-32756, an unauthenticated stack-based buffer overflow affecting multiple Fortinet products; including FortiVoice, FortiRecorder, FortiNDR, FortiMail, and FortiCamera. The vulnerability is rated as CVSS 9.6 (Critical), and allows an unauthenticated remote attacker to achieve remote code execution (RCE) against a vulnerable target.

Fortinet has disclosed that this vulnerability has been exploited in the wild by a threat actor who is targeting vulnerable FortiVoice appliances. No threat actor attribution has been made at this time. FortiVoice is an enterprise unified communication (UC) platform, providing communications services such as calling, conferencing, and chat. The Fortinet Product Security Team made this discovery based on observed threat activity. This threat activity included additional network scanning, credential logging, and log file wiping. Several IOCs have been published in the vendor advisory to assist customers in threat hunting.

CVE-2025-32756 was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV) on May 14, 2025.

Mitigation guidance

Fortinet have provided patches for affected versions under support, and guidance for unsupported versions to migrate to a fixed version. Customers are advised to follow the vendor guidance, and remediate this vulnerability by upgrading to a fixed version on an urgent basis, as outlined below.

• FortiVoice 7.2 should be upgraded to 7.2.1 or above
• FortiVoice 7.0 should be upgraded to 7.0.7 or above
• FortiVoice 6.4 should be upgraded to 6.4.11 or above
  
• FortiRecorder 7.2 should be upgraded to 7.2.4 or above
• FortiRecorder 7.0 should be upgraded to 7.0.6 or above
• FortiRecorder 6.4 should be upgraded to 6.4.6 or above
  
• FortiNDR 7.6 should be upgraded to 7.6.1 or above
• FortiNDR 7.4 should be upgraded to 7.4.8 or above
• FortiNDR 7.2 should be upgraded to 7.2.5 or above
• FortiNDR 7.1 should be migrated to a fixed release
• FortiNDR 7.0 should be upgraded to 7.0.7 or above
• FortiNDR 1.5 should be migrated to a fixed release
• FortiNDR 1.4 should be migrated to a fixed release
• FortiNDR 1.3 should be migrated to a fixed release
• FortiNDR 1.2 should be migrated to a fixed release
• FortiNDR 1.1 should be migrated to a fixed release
  
• FortiMail 7.6 should be upgraded to 7.6.3 or above
• FortiMail 7.4 should be upgraded to 7.4.5 or above
• FortiMail 7.2 should be upgraded to 7.2.8 or above
• FortiMail 7.0 should be upgraded to 7.0.9 or above
  
• FortiCamera 2.1 should be upgraded to 2.1.4 or above
• FortiCamera 2.0 should be migrated to a fixed release
• FortiCamera 1.1 should be migrated to a fixed release
  

For customers who may not be able to update to a fixed version, Fortinet has given guidance to disable the affected appliance's HTTP(S) administration interface. For the latest mitigation guidance, please refer to the vendor advisory.

Rapid7 customers

InsightVM and Nexpose customers can now assess their exposure to CVE-2025-32756 on FortiVoice with an unauthenticated check available in the May 14, 2025 content release (Nexpose Content 1.1.3561)

Updates

May 14, 2025: Updated to reflect InsightVM check was shipped on May 14, 2025. Added reference to the CISA KEV listing.