Sunken Ships: Learning From Ivanti EPMM Attacks

Sunken Ships: Will Orgs Learn From Ivanti EPMM Attacks?

The April/May zero-day exploitations of Ivanti’s mobile device management platform resulted in the compromise of thousands of organizations by a Chinese APT group, and researchers warn history is likely to repeat itself. The attacks underscore the significant risk posed by vulnerabilities in widely-used endpoint management systems, a concern often underestimated despite the potential for widespread damage.

The Ivanti EPMM attacks demonstrated how a seemingly simple vulnerability – a faulty API function exploitable with a basic GET request – could provide attackers with enterprise-wide command-and-control access over enrolled smartphones. This highlights a critical gap between idealized security models and the practical realities of software vulnerabilities and patching delays.

Key Insights

• Ivanti EPMM zero-day exploited via simple GET request: Attackers leveraged CVE-2025-4427 and CVE-2025-4428 in April 2025.
• Abuse of legitimate features: Attackers weaponized standard smartphone-management functions without deploying custom malware.
• Temporal’s adoption: Temporal is used by companies like Stripe and Coinbase to manage complex workflows and ensure reliability.

Practical Applications

• Use Case: Hospitals and financial institutions were among the thousands of organizations affected, demonstrating broad sector impact.
• Pitfall: Storing database credentials in plain text, as found in Ivanti EPMM, provides attackers with a direct path to sensitive data and decryption keys.

References:

• https://www.darkreading.com/cyber-risk/sunken-ships-ivanti-epmm-attacks