Ivanti EPMM flaw exploited by Chinese hackers to breach govt agencies

Chinese hackers have been exploiting a remote code execution flaw in Ivanti Endpoint Manager Mobile (EPMM) to breach high-profile organizations worldwide. The flaw is identified as CVE-2025-4428 and received a high-severity score. The issue can be leveraged to execute code remotely on Ivanti EPMM version 12.5.0.0 and earlier via specially crafted API requests. Ivanti disclosed the flaw together with an authentication bypass (CVE-2025-4427) and patched them both on May 13, 2025, noting that the two issues had been exploited previously against a “very limited number of customers.” Yesterday, EclecticIQ’s researcher Arda Büyükkaya reported seeing CVE-2025-4428 being exploited extensively in the wild since May 15, and attributed them with high confidence to the UNC5221 activity cluster. The particular threat group is considered an Ivanti specialist, regularly exploiting zero-day vulnerabilities in the firm’s products, like Connect Secure in January and again in April 2025. The resear ... Read full article.