The Ivanti Endpoint Manager Mobile (EPMM) zero-day attacks, which began last spring and lasted well into the summer as attackers took advantage of patching lag, were one of the top cyber-stories of 2025, sending thousands of victims to the depths of the data exfiltration sea. A recent deep-dive into the wreckage of those attacks highlights the risk inherent in buggy endpoint management systems — a concern that needs to be a higher priority than it typically is, one researcher argues.
Ivanti EPMM is a mobile device management platform that organizes the use of remotely managed smartphones and tablets. It pushes security policies, manages corporate applications, and controls access to email and internal services. And that makes it an extremely privileged platform.
“What makes the compromise of systems like Endpoint Mobile Manager so special is that once attackers gain initial access, these platforms can be transformed into an enterprise-wide command-and-control server (C2),” warned Arda Büyükkaya, senior cyber threat intelligence analyst at EclecticIQ, speaking from the stage at Black Hat Europe earlier this month. “They legitimately control every enrolled smartphone. And any adversary who compromises them inherits the same power.”
Ivanti EPMM’s privileged architecture. Source: Ivanti
In April 2025, attackers started to exploit Internet-facing Ivanti servers through two zero-day vulnerabilities (CVE-2025-4427 and CVE-2025-4428) that were chained together to achieve a remote code execution. On May 13, Ivanti released a security patch addressing the two vulnerabilities, and two days later watchTowr Labs published a proof of concept (PoC) for testing the exploit chain. Shortly after, as often happens once a PoC is live, an attack bonanza began that Eclectic IQ attributed with high confidence to a China-nexus advanced persistent threat (APT) group — and other groups soon piled on.
“The vulnerability was caused by a faulty API functionality,” Büyükkaya said. “Attackers simply send a simple GET request with a format parameter to execute a malicious remote command.”
EclecticIQ scanned for vulnerable Ivanti servers and built a list of potential victims, mapping affected organizations across both the public and private sector. It uncovered a sprawling campaign that affected thousands of entities, particularly in Europe.
“The severity of the Ivanti EPMM vulnerability lies in the fact that it affected every sector that touches our daily life, including hospitals, a government entity in the United Kingdom, and thousands of victims in critical sectors such as telecommunications and financial services,” the researcher said during his talk, entitled “One Entry Point to Thousands of Phones: China‑Nexus APT Exploiting Ivanti Endpoint Manager Mobile.”
Eclectic IQ immediately notified the affected organizations it identified and relevant national CERTs, resulting in quick containment of thousands of compromised Ivanti servers, he added.
“Actionable threat intelligence can stop active intrusions,” according to Büyükkaya. “After sharing the threat intelligence with affected organizations, they were able to immediately perform intrusion analysis to identify possible further breaches, which is critical.”
Full Ivanti EPMM Compromise: ‘Disneyland’ for Cyberattackers
The attack chain provides an adversary-in-the-middle capability that includes the ability to add or remove users, interact with users’ phones or tablets, locate devices, reset PIN codes, unlock devices, or push security configurations that, in the hands of an attacker, can become a powerful toolset for further compromise, Büyükkaya said. Making matters worse, attackers can also deploy applications/malware or install root certificates on every enrolled smartphone, he added.
A threat actor’s goldmine. Source: EclecticIQ
“This allows them to intercept and decrypt victims’ mobile Web traffic, effectively giving them full visibility into network communication, because there’s a malicious root certificate installed on the mobile phone,” he explained. “It’s like Disneyland for a cyberattacker.”
The Risky Anatomy of an Endpoint Management Cyberattack
When it comes to the attack patterns of the in-the-wild incidents, Büyükkaya was able to find common modus operandi across the campaigns. According to the Ivanti access logs, the attackers gained initial access using a simple Linux patch command; that in turn allowed them to deploy a reverse shell on compromised Ivanti servers that set the stage for widescale infiltration.
The attackers immediately searched for system directories and looked for critical configuration files, including unencrypted database credentials. Using those credentials, they then logged into the local MySQL server, which contains Ivanti EPMM encryption keys, allowing them to decrypt the sensitive data stored inside — and effectively removing one of the core security barriers protecting the platform’s internal data.
“The problem is that normally, MySQL credentials should be stored in encrypted way, but in the Ivanti EPMM solution, unfortunately, it was stored in plain text,” Büyükkaya noted.
That sensitive data turned out to be a goldmine in most cases, representing far more than device metadata. In many instances it included email addresses, phone numbers, owner names, last known locations of the smartphones enrolled, and also full enterprise directory information with job titles and employee names.
But that’s not all: “The worst case is, if there was a cloud integration enabled, that could also expose valid access tokens for services like Google Workspace, Salesforce and Microsoft 365,” Büyükkaya said. “In attacker hands, this information can amplify the impact of the intrusion by providing unauthorized access to the corporate cloud server, which can allow data exfiltration and a further pivot into the deeper network of the enterprise.”
He added, “That also enables targeted social engineering against executives or administrators. With that Microsoft 365 access token in hand, attacker could sign in just like a legitimate user and read or send emails from corporate mailbox, so they could monitor conversations and carry out https://www.techtarget.com/searchsecurity/feature/How-to-avoid-phishing-hooks-A-checklist-for-your-end-usersbusiness email compromise (BEC).”
Further, if the privilege level of a stolen access token is tied to an admin, the attack could quickly escalate into enterprise-wide compromise, giving the attacker possible access to SharePoint sites and the ability to exfiltrate even more sensitive data from there.
Were the Ivanti EPMM Attacks a Chinese APT Espionage Effort?
As far as attribution goes, Büyükkaya noted that several things point in the direction of a Chinese APT being the culprit, including the fact that the C2 infrastructure was hosted on China Telecom. Beyond that, the attackers also deployed open source reconnaissance tools that were documented in Mandarin language.
For instance, for lateral movement, the attackers deployed an open source tool named FRP, which Büyükkaya said is frequently used by Chinese nation-state APT groups to create a reverse proxy tunnel. “That means now the one server can become a relay to scan enterprise networks and gain access to internal applications that were not exposed externally,” he explained.
“Attackers don’t choose a random infrastructure or tooling,” Büyükkaya explained. “They choose what they’re comfortable with, what’s available in their local ecosystem, and what aligns with their day-to-day habits…and those habits leave some fingerprints.”
Defense Against Zero-Day Attacks Isn’t Impossible
Patching lag contributed to Ivanti EPMM attacks continuing well past the time they should have, but vulnerability management obviously won’t prevent zero-day attacks. So Büyükkaya advocates adding new measures to the enterprise defense playbook.
“In the modern cyber landscape, zero-day vulnerabilities are the reality,” he noted. “And you don’t need to be a larger organization to be targeted, either — and this is why the Internet-facing applications must sit at the top of your threat-modeling priority list.”
In particular, and as seen in the Ivanti EPMM attacks, attackers can weaponize legitimate features in enterprise platforms.
“We observed attackers abusing smartphone-management functions to extend their reach without deploying any custom malware,” he explained. “This is a critical blind spot for every organization. Malicious activity can hide inside what appears to be normal administrative behavior.”
To reduce that risk, organizations should monitor for suspicious use of legitimate features and deploy sensitive policies around how enterprise applications operate in order to catch suspicious activities.
It’s not something to sleep on: researchers at Wiz linked the 2025 EPMM attacks to much earlier efforts, showcasing that threat actors view these platforms as juicy prizes. From a wider perspective, Ivanti bugs in general tend to attract cyberattacker notice, as evidenced by attack frenzies in January and in early April on other Ivanti platforms.
Büyükkaya said that unfortunately, historical context shows blind spots to persist. He pointed to a similar spate of attacks in 2023, when a different Ivanti vulnerability chain (CVE-2023-35078 and CVE2023-35082) was exploited as a zero-day attack that compromised multiple Norwegian government ministries.
“The 2023 attacks were never publicly attributed to any threat actor, and the objective remains unknown,” he said. “But it should have served as an early warning for the entire industry, because these management platforms are incredibly powerful, and when they aren’t secured and monitored properly, attackers can leverage a single flow to compromise even government-level networks. Unfortunately, as we saw this year, history repeats itself.”
