Tag Archive for: Enisa

Joseph Lee

Attackers Advance on Two New Ivanti EPMM Flaws

Just last month, CVE-2025-22457 (CVSS 9.8) affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways was recognized as a vector for ransomware. Now, two new CVEs have been added to the growing list of high-risk Ivanti vulnerabilities; CVE-2025-4427 and CVE-2025-4428 affecting Ivanti EPMM (Endpoint and Patch Management Mobile) are under active exploitation.

Greenbone includes active check and version detection tests addressing both new CVEs and many other flaws in Ivanti products, allowing users to identify vulnerable instances, proceed with the patch process and verify security compliance once patches have been applied. In this blog post we will review the technical details of both new CVEs and assess the role that Ivanti has played in the global cyber risk calculus.

Two New CVEs in Ivanti EPMM Combine for Unauthorized Access

At the time of disclosure, Ivanti admitted that on-premises EPMM customers had already been breached. However, cloud security firm Wiz claims that self-managed cloud instances have also been effectively exploited by attackers. A full technical description of the attack chain is publicly available, making exploit development easier for attackers and further increasing the risk.

Here is a brief summary of each CVE:

  • CVE-2025-4427 (CVSS 5.3): An authentication bypass in the API component of Ivanti EPMM 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.
  • CVE-2025-4428 (CVSS 7.2): Remote Code Execution (RCE) in the API component of Ivanti EPMM 12.5.0.0 and prior allows authenticated attackers to execute arbitrary code via crafted API requests.

Ivanti has released patches to remediate the flaws. Users should update EPMM to at least version 11.12.0.5, 12.3.0.2, 12.4.0.2 or 12.5.0.1. If immediate patching is not possible, Ivanti recommends restricting API access using either the built-in Portal ACLs (Access Control Lists with the “API Connection” type) or an external WAF (Web Application Firewall). Network-based ACLs are discouraged by the vendor, since they may block some EPMM functionality. While these mitigations reduce risk, they can impact functionality for certain EPMM integrations, such as Microsoft Autopilot and Graph API. Ivanti also offers an RPM file which can be used to patch EPMM via SSH command line access.

The Invanti EPMM Exploit Chain

The exploit chain in Ivanti EPMM begins with CVE-2025-4427. Due to an insecure configuration in the application’s security.xml file, certain endpoints (specifically /rs/api/v2/featureusage) partially process requests if the format parameter is provided. This pre-auth processing allowed unauthenticated requests to access functions that should be protected. This access control flaw caused by CVE-2025-4427 sets the stage for RCE via CVE-2025-4428.

CVE-2025-4428 allows RCE via an Expression Language (EL) injection via HTTP requests. If the format parameter supplied in a request is invalid as per the EPMM’s specification (neither “cve” or “json”), its value is appended to an error message without sanitization and logged via Spring Framework’s message templating engine. By supplying specially crafted values in the format parameter, attackers can execute arbitrary Java code because the logged message is evaluated as an EL formatted string.

Researchers have pointed out these risks associated with message templating engines are well documented and rebuked Ivanti’s claims that the vulnerability was due to a flaw in a third-party library, rather than their own oversight. Also, if the conditions leading to exploitation of CVE-2025-4428 sounds familiar, it is reminiscent of the infamous Log4Shell vulnerability. Like Log4Shell, CVE-2025-4428 results from passing unsanitized user input into an expression engine which will interpret special commands from a formatted string. In the case of Log4Shell, malicious string formatting in JNDI lookups (e.g., ${jndi:ldap://…}), could trigger RCE.

Risk Assessment: Attackers Advance on Ivanti Flaws

Ivanti has been in the hot seat for the past few years. Attackers have often exploited flaws in Ivanti’s products to gain initial access to their victim’s networks. Across all product lines, the vendor has been the subject of 61 Critical severity (CVSS >= 9.0) CVEs since the start of 2023. 30 of these have been added to CISA KEV (Known Exploited Vulnerabilities of the Cybersecurity and Infrastructure Security Agency), although the true tally of actively exploited flaws may be higher. Ivanti CVEs have a high conversion rate for use in ransomware attacks; CISA notes 8 CVEs in this category.

In early 2024, the European Commission, ENISA, CERT-EU and Europol issued a joint statement addressing active exploitation of Ivanti Connect Secure and Policy Secure Gateway products. In the US, CISA directed all federal civilian agencies to disconnect these products and assume they had been breached [1][2]. CISA, the FBI and cybersecurity agencies from the UK, Australia and Canada issued a joint advisory warning of ongoing exploitation. By late 2024, CISA had also alerted to active exploitation of Ivanti Cloud Service Appliances (CSA), warning that both state-sponsored and financially motivated threat actors were successfully targeting unpatched systems.

In 2025, on January 8th, CISA warned that newly disclosed CVE-2025-0282 and CVE-2025-0283 in Ivanti Connect Secure, Policy Secure and ZTA Gateways were also under active exploitation. Unfortunately, attackers continue to advance on new flaws in Ivanti’s products well into 2025 including CVE-2025-22457 [3][4] and now, two new CVEs in EPMM discussed above.

Dennis Kozak replaced Jeff Abbott as Ivanti’s CEO effective January 1, 2025 despite a mid-2024 pledge from Mr. Abbot for improved product security. No public statement was made linking the succession to the Utah company’s security challenges, however it happened with only a few weeks’ notice. Executives have not been called to testify before US congress as many other cybersecurity leaders have following high-risk incidents including Sudhakar Ramakrishna (CEO of SolarWinds), Brad Smith (President of Microsoft) and George Kurtz (CEO of CrowdStrike).

Echoes from EPMM’s Past: CVE-2023-35078 and CVE-2023-35082

In addition to the vortex of vulnerabilities discussed above, CVE-2023-35078 (CVSS 9.8) and CVE-2023-35082 (CVSS 9.8), disclosed in July and August 2023 respectively, also provided unauthenticated RCE for Ivanti EPMM. Public exploitation kicked off almost immediately after their disclosure in 2023.

CVE-2023-35078 was exploited to breach the Norwegian government, compromising data from twelve ministries [3][4]. CISA issued an urgent advisory (AA23-214A) citing confirmed exploitation by Advanced Persistent Threat (APT) actors and advising all federal agencies to take immediate mitigation steps. Even back in 2023, the speed and breadth of the attacks underscored Ivanti’s growing profile as a repeat offender, enabling espionage and financially motivated cybercrime.

Summary

Ivanti EPMM is susceptible to two new vulnerabilities; CVE-2025-4427 and CVE-2025-4428 can be combined for unauthorized remote code execution. Now under active exploitation, they underscore a troubling pattern of high-severity flaws in Ivanti products. Ivanti has released patches to remediate the flaws and users should update EPMM to at least version 11.12.0.5, 12.3.0.2, 12.4.0.2 or 12.5.0.1.

Greenbone’s vulnerability detection capabilities extend to include tests for CVE-2025-4427 and CVE-2025-4428 allowing Ivanti EPMM users to identify all vulnerable instances and verify security compliance once patches have been applied.

/by
Greenbone AG

NIS2: What you need to know

NIS2 Umsetzung gezielt auf den Weg bringen!

The deadline for the implementation of NIS2 is approaching – by October 17, 2024, stricter cybersecurity measures are to be transposed into law in Germany via the NIS2 Implementation Act. Other member states will develop their own legislature based on EU Directive 2022/2555. We have taken a close look at this directive for you to provide you with the most important pointers and signposts for the entry into force of NIS2 in this short video. In this video, you will find out whether your company is affected, what measures you should definitely take, which cybersecurity topics you need to pay particular attention to, who you can consult in this regard and what the consequences of non-compliance are.

Preview image for the video 'What you need to know about NIS2' with European star circle and NIS2 lettering - redirects to YouTube

Learn about the Cyber Resilience Act, which provides a solid framework to strengthen your organization’s resilience against cyberattacks. The ENISA Common Criteria will help you assess the security of your IT products and systems and take a risk-minimizing approach right from the development stage. Also prioritize the introduction of an information management system, for example by implementing ISO 27001 certification for your company. Seek advice about IT baseline protection from specialists recommended by the BSI or your local responsible office.

In addition to the BSI as a point of contact for matters relating to NIS2, we are happy to assist you and offer certified solutions in the areas of vulnerability management and penetration testing. By taking a proactive approach, you can identify security gaps in your systems at an early stage and secure them before they can be used for an attack. Our vulnerability management solution automatically scans your system for weaknesses and reports back to you regularly. During penetration testing, a human tester attempts to penetrate your system to give you final assurance about the attack surface of your systems.

You should also make it a habit to stay up to date with regular cybersecurity training and establish a lively exchange with other NIS2 companies. This is the only way for NIS2 to lead to a sustainable increase in the level of cyber security in Europe.

To track down the office responsible for you, follow the respective link for your state.

Austria France Malta
Belgium Germany Netherlands
Bulgaria Greece Poland
Croatia Hungary Portugal
Cyprus Ireland Romania
Czech Republic Italy Slovakia
Denmark Latvia Slovenia
Estonia Lithuania Spain
Finland Luxembourg Sweden

Contact Test Now Buy Here Back to Overview

/by
Markus Feilner

ENISA study: Public sector most at risk

In the 10th edition of its ENISA Threat Landscape (ETL), the EU’s cybersecurity agency explicitly warns of increasing threats from hacking attacks on public sector entities.

Around a quarter of all security related incidents target administrative or government entities, the ENISA study reports – making the public sector nearly twice as much at risk as hosters and providers, who come in second at 13 %. More than ever, users should protect their networks – for example, with products from Greenbone.

The number one threat still are extortionate ransomware attacks, followed by malware and social engineering, e.g. where attackers try to obtain passwords from employees via telephone.

Geopolitics doesn’t stop at the public data center

However, things have changed in the last two years – not only the war in Ukraine ensured that “geopolitical aspects have a significantly greater influence” on threat scenarios, the ENISA authors write. Attacks are becoming more destructive, motivated by the armed conflict and are being flanked by targeted disinformation campaigns – which are increasingly directed against public institutions.

Businesses and government agencies, however, are worried by the fact that attackers have gained in skill level, aggressiveness and agility since 2021. The better organizations have adapted their cybersecurity programs and thus their defenses to the threat environment, the more they have forced attackers to adopt newer attack vectors, to the point of developing new, unknown zeroday exploits and more. At the same time, hacker groups are constantly becoming more agile, renaming themselves and continuously regrouping, further complicating attribution (matching an attack to individuals).

Progressive professionalization of attackers

As if that weren’t enough, the hacker-as-a-service model continues to gain traction; people are becoming more professionalized. Attacks are also increasingly targeting the supply chain, managed service providers and are becoming more and more, as they have been doing every year, especially in the upcoming reporting period – the phase at the end of a fiscal year when reports relevant to the stock exchange may have to be prepared.

What is new, however, according to ENISA, is the increase in hybrid threats, which are also fueled by state actors and software. The study specifically cites the spyware “Pegasus” developed by the Israeli government, as well as phishing and attacks on data infrastructures.

Machine learning and artificial intelligence

The professionalization of attacks has had a particularly fatal effect, because they have become much more sophisticated through the use of machine learning and artificial intelligence. For example, there are already bots that act as deep fakes, disrupt chains of command, and are also capable of disabling government institutions with masses of fake comments.

ENISA groups the typical attackers into four categories: State-sponsored, organized crime (cybercrime), commercial hackers (“hackers for hire”), and activists. The goal of all these attackers is usually unauthorized access to data and disruption of the availability of services (and in many cases the associated extortion of ransom money), they said.

Vulnerability Management protects

The only safe option that government agencies and companies have to counter these attacks is Vulnerability Management, which allows them to look at their own IT infrastructure from the outside, from the perspective of a potential attacker. This is the only way to identify and close security gaps before an attacker succeeds.

This is exactly where our Vulnerability Management products come in – as a hardware or virtual appliance or in the Greenbone Cloud Service. Greenbone develops an Open Source Vulnerability Management and allows users to detect vulnerabilities in their own network infrastructure within a few steps. Our products generate reports with concrete action instructions that you can implement immediately.

We work strictly according to German/European law and offer an Open Source solution. This means best data protection compliance and is thus guaranteed free of backdoors.

Greenbone: Many years of experience in the public sector

For many years, Greenbone has been offering customized products for the public sector, e.g. for requirements of higher security levels (classified, VS-NFD and higher).

Even networks that are physically separated from other networks can be scanned for vulnerabilities with Greenbone. Such areas separated by an “air gap” often occur in public authorities when network segments must be operated separately from the Internet and the rest of the public authority network due to a special need for protection. Greenbone’s products support strict airgap via special USB sticks, but also data diodes that allow traffic in one direction only.

No matter if you already have a frame contract with us or if you contact us for the first time, e.g. via the form on our website: We are happy to help you. Greenbone can look back on many years of experience with public authorities and is always ready to help you with words and deeds. Contact us!


Contact Free Trial Buy Here Back to Overview

/by