‘Ongoing’ Ivanti hijack bug exploitation reaches clouds www.theregister.com/2025/05/2…

The “ongoing exploitation” of two Ivanti bugs has now extended beyond on-premises environments and hit customers' cloud instances, according to security shop Wiz.

CVE-2025-4427 is an authenticated bypass vulnerability and CVE-2025-4428 is a post-authentication remote-code execution (RCE) flaw. Together they allow a miscreant to run malware on a vulnerable deployment and hijack it. Both holes affect Ivanti Endpoint Manager Mobile (EPMM), on-premises software used to manage company-issued devices and applications and secure access to sensitive corporate data.

According to the vendor, the flaws are not present in Ivanti Neurons for MDM, Ivanti’s cloud-based version. “We cannot comment on unverified third party research and that our security advisory contains the latest facts,” an Ivanti spokesperson told The Register.

Wiz researchers, however, say otherwise. “We can confirm that the incident we found was on cloud hosted virtual appliances and not an on-prem device,” Gili Tikochinski, malware researcher at Wiz, told The Register. “This doesn’t mean that the attacker explicitly targeted cloud environments because from an outside network perspective it is hard to differentiate the two deployment options but it does mean that both cloud and on-prem customers are at risk.”