Ivanti EPMM Exploitation Linked to Past Zero-Day Attacks: A Growing Threat to Edge Devices

By /

Listen to this Post

Featured Image

Introduction

The growing number of cyberattacks on edge devices has become a serious concern for organizations globally. Recently, Ivanti disclosed that two of its Endpoint Manager Mobile (EPMM) vulnerabilities were exploited for remote code execution (RCE) attacks. These vulnerabilities have now been linked to previous zero-day attacks on other devices, notably firewalls from Palo Alto Networks. As cybersecurity threats continue to evolve, this pattern emphasizes the increasing targeting of edge devices, which play a critical role in modern network infrastructures.

Summary

Wiz researchers have uncovered a significant connection between the recent exploitation of Ivanti’s EPMM VPN product and earlier attacks involving other edge devices. The Ivanti vulnerabilities (CVE-2025-4427 and CVE-2025-4428) allow threat actors to bypass authentication and execute remote code. These flaws have been actively exploited since mid-May 2025, following the release of proof-of-concept (PoC) exploits.

Interestingly, the same IP address, 77.221.158[.]154, used for the Ivanti attacks, was previously tied to attacks on Palo Alto Networks’ firewalls. This suggests the involvement of a single, opportunistic threat actor targeting multiple device types, including Ivanti’s EPMM and Palo Alto’s PAN-OS.

Wiz noted that, although no ransomware or data exfiltration was observed, the use of Sliver, a popular command-and-control (C2) framework, in both campaigns further connects the two incidents. This implies that a persistent actor is exploiting the vulnerabilities before patches are applied. Both campaigns highlight a dangerous pattern of cybercriminals targeting network devices with known vulnerabilities, exploiting them for malicious purposes.

In addition to these findings, a separate report from Arctic Wolf also links the attacks to a Russian hosting provider, Aeza International LTD, which has been previously implicated in illicit activities. The importance of applying timely patches to edge devices and maintaining vigilance on internet-facing appliances is underscored by both Wiz and Arctic Wolf.

What Undercode Say:

The recent Ivanti EPMM exploitation is a reminder of how critical it is to stay up to date with security patches, especially for devices that play a central role in managing enterprise network traffic. With vulnerabilities such as CVE-2025-4427 and CVE-2025-4428 being exploited so soon after the PoC exploits were released, it’s clear that threat actors are capitalizing on the time gap between vulnerability disclosure and patch application.

The connection between Ivanti and Palo Alto

Moreover, the use of Sliver, a C2 framework, indicates a level of sophistication and persistence in the attacker’s strategy. This suggests a well-resourced threat actor who is able to continuously exploit vulnerabilities across multiple platforms. While the attribution to a specific cyber group or nation-state remains uncertain, the pattern of activity shows a clear focus on exploiting known vulnerabilities.

In terms of preventative measures, Ivanti customers are advised to upgrade to patched versions of EPMM and to prioritize securing their internet-facing devices. The continuous monitoring of network traffic for signs of Sliver activity and blocking traffic from suspicious IP addresses are essential steps in mitigating the risk of further exploitation.

Fact Checker Results

  1. The identified IP address, 77.221.158[.]154, has been linked to multiple attacks across various devices, confirming a pattern of opportunistic exploitation.
  2. The use of Sliver C2 framework in both campaigns indicates the threat actor’s reliance on easily accessible tools, which increases the likelihood of ongoing attacks.
  3. Both Wiz and Arctic Wolf emphasize the importance of patching and monitoring edge devices, given the growing trend of targeting such devices.

Prediction

Given the increasing trend of cybercriminals targeting edge devices, we predict a rise in attacks leveraging known vulnerabilities. As proof-of-concept exploits become publicly available, the window for potential attacks widens, making it essential for organizations to stay ahead with timely security updates. With the rise of sophisticated frameworks like Sliver, we can expect more complex, persistent attack campaigns focusing on edge devices in the near future. Organizations should prioritize robust security measures, including the regular application of patches, advanced network monitoring, and threat intelligence sharing to stay one step ahead of evolving threats.

References:

Reported By: www.darkreading.com
Extra Source Hub:
https://www.quora.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Explore More: