Written by: Ferdi Gül

Welcome to this week’s Focus Friday, where we delve into high-profile incidents from a Third-Party Risk Management (TPRM) perspective. This week, we’re focusing on vulnerabilities discovered in Ivanti’s Endpoint Manager Mobile (EPMM). Specifically, we’ll address two critical flaws, CVE-2025-4427 (Authentication Bypass) and CVE-2025-4428 (Remote Code Execution), which, when exploited together, allow unauthenticated attackers to bypass authentication and execute arbitrary code remotely on affected systems. These vulnerabilities, if left unchecked, could pose a serious threat to organizations using Ivanti EPMM for mobile device management. Read on to explore the details and how Black Kite’s FocusTags™ can assist in managing the associated risks.

Filtered view of companies with Ivanti EPMM – May2025 FocusTag™ on the Black Kite platform.

What is the Ivanti EPMM RCE and Authentication Bypass Vulnerability? (CVE-2025-4427, CVE-2025-4428)

Ivanti Endpoint Manager Mobile (EPMM) has two vulnerabilities, CVE-2025-4427 and CVE-2025-4428, that are critical for organizations using this software for mobile device management. These vulnerabilities, when chained together, allow unauthenticated attackers to bypass authentication and execute arbitrary code remotely on the affected systems.

  • CVE-2025-4427: This is an authentication bypass vulnerability that allows attackers to access protected resources without valid credentials. It has a medium severity level with a CVSS score of 5.3 and an EPSS score of 0.94%.
  • CVE-2025-4428: This vulnerability is a remote code execution (RCE) flaw that enables attackers to execute arbitrary code on the target system. This vulnerability has a high severity level with a CVSS score of 7.2 and an EPSS score of 0.51%.

Both vulnerabilities were discovered and publicly disclosed in May 2025, and there are reports of active exploitation in the wild. However, no PoC exploit code has been publicly released. The vulnerabilities were not added to CISA’s KEV catalog as of the time of disclosure.

Why Should TPRM Professionals Care About These Vulnerabilities?

For third-party risk management (TPRM) professionals, these vulnerabilities pose a severe risk because they impact the integrity and availability of the mobile device management (MDM) infrastructure. Organizations using Ivanti EPMM for mobile device management may be exposed to potential breaches, unauthorized access, and even complete control over their devices and networks.

If attackers successfully exploit these vulnerabilities, they could gain access to sensitive data and internal configurations, leading to further lateral movement in the network. This makes it essential for TPRM professionals to assess the risk posed by vendors using Ivanti EPMM, especially those running vulnerable versions.

What Questions Should TPRM Professionals Ask Vendors About Ivanti EPMM Vulnerabilities?

  • Have you applied the latest security patches to Ivanti EPMM (versions 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1)?
  • What access control measures do you have in place to secure the Ivanti EPMM API, such as using a Web Application Firewall (WAF) or Portal ACLs?
  • Can you confirm whether any unusual API requests or failed authentication attempts have been detected in your logs?
  • If your organization is unable to immediately upgrade Ivanti EPMM, what mitigation strategies are in place to reduce the impact of these vulnerabilities?

Remediation Recommendations for Vendors Subject to This Risk

  • Upgrade Ivanti EPMM to a fixed version: Apply the patches available in versions 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1 to address both CVE-2025-4427 and CVE-2025-4428.
  • Implement strong access control: Use Portal ACLs or an external WAF to restrict API access and ensure that only authorized services and IP addresses can interact with the EPMM API.
  • Review and strengthen integrations: Ensure that critical integrations such as Windows Autopilot and Microsoft Graph API are properly configured to prevent disruptions.
  • Monitor for signs of exploitation: Regularly review logs for failed authentication attempts and abnormal API requests, and follow up with Ivanti support if exploitation is suspected.

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite’s FocusTag for Ivanti EPMM highlights the affected versions and helps TPRM professionals quickly identify vendors exposed to these critical vulnerabilities. By using Black Kite’s platform, TPRM teams can determine which vendors are affected, identify any potentially vulnerable assets (like IP addresses and subdomains), and prioritize outreach to those vendors for remediation.

The FocusTag also provides actionable intelligence, such as the specific versions at risk and recommendations for mitigations. This enables organizations to proactively manage their risk exposure and make data-driven decisions.

Since this is a new FocusTag, it provides an updated and detailed analysis of the risk posed by Ivanti EPMM vulnerabilities. Black Kite customers can operationalize this tag by integrating the identified vulnerabilities into their risk management workflows, ensuring a more targeted and efficient vendor outreach process.

Black Kite’s Ivanti EPMM – May2025 FocusTagTM details critical insights on the event for TPRM professionals.

Update on SAP NetWeaver Vulnerabilities: Threat Actor Activity Continues

In April 2025, Black Kite’s FocusTag for SAP NetWeaver included a series of vulnerabilities that continue to pose a significant threat to organizations relying on this enterprise platform. As of May 2025, the situation has escalated, with multiple ransomware groups now actively exploiting these vulnerabilities.

The CVE-2025-42999, an insecure deserialization vulnerability in SAP NetWeaver Visual Composer’s Metadata Uploader, has been added to the existing SAP NetWeaver VCFRAMEWORK [Suspected] FocusTag. This vulnerability allows privileged users to upload untrusted serialized content, which, when deserialized, can severely compromise the system’s confidentiality, integrity, and availability.

The vulnerability has been actively exploited by several threat actor groups, including notorious ransomware gangs. As detailed in SAP’s May 2025 Security Patch Day alert, the RansomEXX and BianLian ransomware groups are targeting SAP NetWeaver systems with this flaw. While no ransomware payloads have been successfully deployed, the ongoing exploitation is a stark reminder of the continuing risk posed by this vulnerability. Additionally, several Chinese APT groups are also targeting unpatched NetWeaver instances, with evidence suggesting strategic objectives tied to espionage.

What Does This Mean for TPRM Professionals?

The addition of CVE-2025-42999 to the SAP NetWeaver FocusTag further emphasizes the critical nature of this vulnerability. TPRM professionals must now be even more vigilant in identifying vendors and third parties that rely on SAP NetWeaver systems. With active exploitation reported in the wild, including by sophisticated ransomware actors, the risk to organizations’ operational continuity is heightened.

If you’re managing third-party risks related to SAP NetWeaver, it is crucial to ensure that vendors have applied the latest patches and are actively monitoring for suspicious activity, especially around Visual Composer and its related components. Prompt remediation and proactive monitoring will be key to preventing a potential breach.

For those following the SAP NetWeaver VCFRAMEWORK [Suspected] FocusTag, stay informed on new CVEs and exploit activity to adjust your risk mitigation strategies accordingly.

Enhancing TPRM Strategies with Black Kite’s FocusTags™

In today’s rapidly evolving cybersecurity landscape, staying ahead of vulnerabilities is crucial for robust Third-Party Risk Management (TPRM). Black Kite’s FocusTags™ provide essential insights and tools to effectively manage these risks, especially in the face of emerging threats like those found in Ivanti EPMM and SAP NetWeaver.

Here’s how Black Kite’s FocusTags™ can enhance your TPRM strategy:

  • Real-Time Vulnerability Tracking: FocusTags™ allow TPRM professionals to quickly identify vendors affected by the latest vulnerabilities, enabling faster, more strategic responses.
  • Risk Prioritization: FocusTags™ help prioritize risks based on the severity of vulnerabilities and the importance of affected vendors, ensuring resources are allocated where they’re needed most.
  • Informed Vendor Conversations: FocusTags™ facilitate targeted and meaningful discussions with vendors, addressing their specific security posture in relation to identified vulnerabilities.
  • Comprehensive Security Overview: With a clear, broad view of the threat landscape, FocusTags™ contribute to stronger, more proactive cybersecurity strategies.

Black Kite’s FocusTags™ transform complex cyber threat data into actionable intelligence, empowering TPRM professionals to effectively manage risks, reduce exposure, and bolster security.



Want to take a closer look at FocusTags™?


Take our platform for a test drive and request a demo today.




Request a Demo

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTagsTM in the Last 30 Days:

  • Ivanti EPMM – May2025: CVE-2025-4427, CVE-2025-4428, Authentication Bypass and Remote Code Execution Vulnerability in Ivanti Endpoint Manager Mobile (EPMM)
  • SysAid On-Premises: CVE-2025-2775, CVE-2025-2776, CVE-2025-2777, XML External Entity (XXE) Injection Vulnerability in SysAid On-Premises.
  • Apache ActiveMQ – May2025: CVE-2025-27533, Memory Allocation with Excessive Size Value in Apache ActiveMQ.
  • Webmin: CVE-2025-2774, CRLF Injection Privilege Escalation Vulnerability in Webmin.
  • Couchbase Server: CVE-2025-46619, LFI Vulnerability in Couchbase Server.
  • SAP NetWeaver VCFRAMEWORK : CVE-2025-31324, Remote Code Execution Vulnerability in SAP NetWeaver Visual Composer’s Metadata Uploader component.
  • Apache Tomcat – Apr2025 : CVE-2025-31650, CVE-2025-31651, DoS Vulnerability, Rewrite Rule Bypass Vulnerability in Apache Tomcat.
  • Fortinet Symlink Backdoor : CVE-2022-42475, CVE-2024-21762, CVE-2023-27997, Arbitrary Code Execution Vulnerability, Numeric Truncation Error, Heap-based Buffer Overflow Vulnerability, Out-of-bounds Write Vulnerability in FortiGate devices.
  • SonicWall SSLVPN Gen7 : CVE-2025-32818, Null Pointer Dereference Vulnerability, DoS Vulnerability in SonicWall SSLVPN Gen 7 devices.
  • Redis Server : CVE-2025-21605, Allocation of Resources Without Limits or Throttling in Redis Servers.
  • Adobe ColdFusion : CVE-2025-24446 CVE-2025-24447 CVE-2025-30281 CVE-2025-30282 CVE-2025-30284 CVE-2025-30285 CVE-2025-30286 CVE-2025-30287 CVE-2025-30288 CVE-2025-30289 CVE-2025-30290, Deserialization of Untrusted Data, Improper Authentication, Improper Access Control, OS Command Injection, Improper Input Validation, Path Traversal Vulnerabilities in Adobe ColdFusion.
  • Beego: CVE-2025-30223, Reflected/Stored XSS Vulnerabilities in Beego Web Framework.
  • Ivanti Connect Secure : CVE‑2025‑22457, Stack‑based Buffer Overflow Vulnerability in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti ZTA Gateways.
  • FortiSwitch : CVE‑2024‑48887, Unverified Password Change Vulnerability in Fortinet FortiSwitch web interface.
  • MinIO : CVE‑2025‑31489, Improper Verification of Cryptographic Signature Vulnerability in MinIO Go module package.
  • Kubernetes Ingress NGINX : CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974, Improper Isolation or Compartmentalization Vulnerability, Remote Code Execution Vulnerability in Kubernetes ingress-nginx controller.
  • Synology DSM : CVE-2024-10441, Remote Code Execution Vulnerability in Synology BeeStation OS (BSM), Synology DiskStation Manager (DSM).
  • Synapse Server : CVE-2025-30355, Improper Input Validation Vulnerability in Matrix Synapse Server.
  • Juniper Junos OS – Mar2025 : CVE-2025-21590, Improper Isolation or Compartmentalization Vulnerability in Juniper Junos OS.
  • SAP NetWeaver – Mar2025 : CVE-2017-12637, Directory Traversal Vulnerability in SAP NetWeaver Application Server.

References