Two new Ivanti EPMM (Endpoint Manager Mobile) vulnerabilities – CVE-2025-4427 and CVE-2025-4428 – have been exploited in the wild as zero-days by UNC5221, a Chinese cyber espionage group with a history of targeting edge infrastructure. Their latest campaign highlights the escalating risk posed by advanced persistent threats (APTs) exploiting supply chain blind spots.

What Happened?

UNC5221 successfully chained the two Ivanti vulnerabilities to achieve unauthenticated remote code execution on externally facing systems. These flaws allowed the group to deploy custom malware and backdoors, siphon sensitive mobile device data, and exfiltrate corporate credentials.

Who Was Targeted?

Victims spanned critical sectors and geographies:

  • UK: Local government, NHS-aligned healthcare entities

  • Germany: Telcos, manufacturers, legal firms, and research bodies

  • Ireland: Aerospace leasing firms

  • USA: A mobile threat defence cybersecurity firm, healthcare organisations, a firearms manufacturer, and a medical device company

  • Asia: A South Korean multinational bank and a Japanese automotive supplier

This breadth of targeting is a stark reminder that no vertical is immune—especially those connected through shared service providers and platforms.

Technical Summary

Attackers exploited Ivanti EPMM instances exposed to the internet (both cloud-hosted and on-premises). The campaign featured:

  • KrustyLoader malware from public AWS S3 buckets

  • Sliver C2 implant

  • Reverse proxy tooling

  • Extraction of:

    • IMEIs, phone numbers, and geolocation data from mobile devices

    • LDAP credentials and Office 365 access/refresh tokens

Why This Matters for Supply Chain Risk

At Cyber Tzar, we continuously monitor vulnerabilities like these not just for direct customer exposure—but for indirect risk via suppliers, third-party platforms, and integration partners. EPMM systems are often deployed by MSPs, MDM integrators, and outsourced IT security teams, meaning a single compromise can ripple across multiple clients.

Given UNC5221’s capability to weaponise legitimate system components within EPMM and repurpose them for exfiltration, this campaign underscores a wider issue: attackers are now deeply familiar with core enterprise tooling and are adapting faster than most patching cycles.

Immediate Actions for CISOs & Risk Managers

If your organisation—or any of your key partners—uses Ivanti EPMM, take these steps now:

  1. Patch Immediately
    Ivanti has released fixes in versions:

    • 11.12.0.5

    • 12.3.0.2

    • 12.4.0.2

    • 12.5.0.1

    Note: A 400 HTTP response in logs post-patch is not an indication of exploitation.

  2. Review Indicators of Compromise (IOCs)
    Although Ivanti has not published these, both Wiz and EclecticIQ have. Threat intel teams should ingest and match these IOCs across cloud and on-prem log sources.

  3. Map Risk Exposure Across the Supply Chain
    Use platforms like CyberRiskCompare to evaluate which of your vendors, subsidiaries, or partners are running vulnerable Ivanti systems—or similar high-risk edge infrastructure.

  4. Harden Edge Exposures
    This campaign reinforces the need for strong controls at network boundaries. Audit externally accessible services and ensure minimal exposure, MFA, and alerting are in place.

Final Thoughts

The exploitation of Ivanti EPMM is not just a one-off security incident—it reflects a strategic playbook being executed by state-level actors. Enterprises must move beyond perimeter defence and into continuous third-party cyber risk awareness.

At Cyber Tzar, our mission is to give you visibility not just into your own systems, but into the vulnerabilities and posture of those you depend on. Whether you’re managing hundreds of suppliers or vetting a single endpoint management platform, our CRQ-driven approach ensures you focus on what matters most.

Stay informed. Stay resilient. Compare and manage your cyber risk with clarity.

View more resources

View more resources