Remote Code Execution Vulnerability Actively Exploited by UNC5221 Threat Group
A critical remote code execution vulnerability in Ivanti Endpoint Manager Mobile (EPMM), tracked as CVE-2025-4428, has been exploited by Chinese state-sponsored hackers to breach government networks and other high-value targets globally. The campaign began shortly after Ivanti disclosed and patched the flaw on May 13, 2025.
The attackers, attributed to the threat group UNC5221, have previously exploited vulnerabilities in Ivanti’s Connect Secure VPN appliances in earlier campaigns this year.
“They know which files hold the information required for the next step of the attack,”
— Arda Büyükkaya, EclecticIQ researcher
Vulnerability Details and Exploitation Timeline
CVE-2025-4428 affects Ivanti EPMM versions 12.5.0.0 and earlier, enabling unauthenticated attackers to execute arbitrary code remotely via crafted API requests. Ivanti also addressed another vulnerability, CVE-2025-4427, which allowed for authentication bypass.
Although Ivanti initially stated the vulnerabilities had only been used against a limited number of targets, threat researchers observed widespread exploitation starting around May 15. The same Chinese threat group is believed to be behind these attacks, leveraging deep product knowledge to perform advanced exploitation and post-compromise activity.
Security Guidance for Affected Organizations
Ivanti has issued patches to address both vulnerabilities. All organizations using Ivanti EPMM are urged to:
- Apply all relevant security updates without delay
- Monitor access logs and endpoint behavior for unusual activity
- Audit privileged accounts and permissions
- Segment critical systems to prevent lateral movement
“Given UNC5221’s history of targeting Ivanti products, organizations should stay alert to signs of intrusion and act fast on patch management.”
