Critical vulnerabilities in Ivanti EndPoint Manager Mobile exploited by Chinese hackers.
Since May 15, Chinese hackers have been exploiting a new vulnerability in Ivanti Endpoint Manager Mobile (EPMM) to infiltrate organizations worldwide. The bug, CVE-2025-4428, is very serious and allows remote code execution on vulnerable systems.
Targeted Attacks on Strategic Sectors
The vulnerability exists in versions up to 12.5.0.0 of Ivanti EPMM and was patched along with a second flaw (CVE-2025-4427) on May 13. However, two days later, a new wave of attacks began. BleepingComputer lists the victims, including: the British National Health Service, an American medical device company, governments in Scandinavia, a German telecom player, an American cybersecurity firm, and even an Irish aviation financier.
According to researchers at EclecticIQ, the Chinese UNC5221 group is behind the hacks, which previously also exploited Ivanti zero-days. The attack demonstrates their deep knowledge of Ivanti systems: the hackers knew exactly where sensitive passwords and configurations are stored.
Real Espionage and Rapid Deployment
During the attacks, databases were exported and Office 365 and LDAP configurations were exploited. The attackers even left temporary files disguised as .jpg files to evade detection.
Ivanti has since patched the vulnerabilities, but EclecticIQ emphasizes that attacks began within 48 hours of disclosure. Those using Ivanti EPMM who have not yet updated are at serious risk. Rapid updating is therefore recommended.
read also