CyberAlerts

CVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution

🚨 Marked as known exploited on May 13th, 2025 (21 days ago).

Description: Remote code execution vulnerability in a popular mobile device management solution from Ivanti has been exploited in the wild in limited attacksBackgroundOn May 13, Ivanti released a security advisory to address a high severity remote code execution (RCE) and a medium severity authentication bypass vulnerability in its Endpoint Manager Mobile (EPMM) product, a mobile management software that can be used for mobile device management (MDM), mobile application management (MAM) and mobile content management (MCM).CVEDescriptionCVSSv3CVE-2025-4427Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability5.3CVE-2025-4428Ivanti Endpoint Manager Mobile Remote Code Execution Vulnerability7.2AnalysisCVE-2025-4427 is an authentication bypass vulnerability in Ivanti’s EPMM. An unauthenticated, remote attacker could exploit this vulnerability to gain access to the server’s application programming interface (API) that is normally only accessible to authenticated users.CVE-2025-4428 is a RCE in Ivanti’s EPMM. An authenticated attacker could exploit this vulnerability to execute arbitrary code on a vulnerable device.An attacker that successfully exploits these flaws could chain them together to execute arbitrary code on a vulnerable device without authentication. Both vulnerabilities are associated with open source libraries used by the EPMM software. Ivanti has indicated that these vulnerabilities have been exploited in the wild in a limited number of cases.Customers that restric...

CVSS: MEDIUM (5.3)

EPSS Score: 72.5%

Source: Tenable Blog

May 13th, 2025 (21 days ago)

CVE-2025-4427

Authentication Bypass

🚨 Marked as known exploited on May 13th, 2025 (21 days ago).

Description: An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.

CVSS: MEDIUM (5.3)

EPSS Score: 72.5%

Source: CVE

May 13th, 2025 (22 days ago)

Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends

🚨 Marked as known exploited on April 23rd, 2025 (about 1 month ago).

Description: The 2025 Verizon Data Breach Investigations Report (DBIR) reveals that vulnerability exploitation was present in 20% of breaches — a 34% increase year-over-year. To support the report, Tenable Research contributed enriched data on the most exploited vulnerabilities. In this blog, we analyze 17 edge-related CVEs and remediation trends across industry sectors.BackgroundSince 2008, Verizon’s annual Data Breach Investigations Report (DBIR) has helped organizations understand evolving cyber threats. For the 2025 edition, Tenable Research contributed enriched data on the most exploited vulnerabilities of the past year. We analyzed over 160 million data points and zeroed-in on the 17 edge device CVEs featured in the DBIR to understand their average remediation times. In this blog, we take a closer look at these vulnerabilities, revealing industry-specific trends and highlighting where patching still lags — often by months.In this year’s DBIR, vulnerabilities in Virtual Private Networks (VPNs) and edge devices were particular areas of concern, accounting for 22% of the CVE-related breaches in this year’s report, almost eight times the amount of 3% found in the 2024 report.AnalysisThe 2025 DBIR found that exploitation of vulnerabilities surged to be one of the top initial access vectors for 20% of data breaches. This represents a 34% increase over last year’s report and is driven in part by the zero-day exploitation of VPN and edge device vulnerabilities – asset classes that tradit...

CVSS: MEDIUM (6.0)

Source: Tenable Blog

April 23rd, 2025 (about 1 month ago)

CVE-2025-24054 Under Active Attack—Steals NTLM Credentials on File Download

🚨 Marked as known exploited on April 18th, 2025 (about 2 months ago).

Description: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a medium-severity security flaw impacting Microsoft Windows to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild. The vulnerability, assigned the CVE identifier CVE-2025-24054 (CVSS score: 6.5), is a Windows New Technology LAN Manager (NTLM) hash disclosure

CVSS: MEDIUM (6.5)

Source: TheHackerNews

April 18th, 2025 (about 2 months ago)

CISA Flags Actively Exploited Vulnerability in SonicWall SMA Devices

🚨 Marked as known exploited on April 17th, 2025 (about 2 months ago).

Description: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a security flaw impacting SonicWall Secure Mobile Access (SMA) 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The high-severity vulnerability, tracked as CVE-2021-20035 (CVSS score: 7.2), relates to a case of operating system command injection

CVSS: MEDIUM (6.5)

Source: TheHackerNews

April 17th, 2025 (about 2 months ago)

CVE-2025-31201

This issue was addressed by removing the vulnerable code. This issue is fixed in tvOS 18.4.1, visionOS 2.4.1, iOS iOS 18.4.1 and iPadOS 18.4.1,...

🚨 Marked as known exploited on April 17th, 2025 (about 2 months ago).

Description: This issue was addressed by removing the vulnerable code. This issue is fixed in tvOS 18.4.1, visionOS 2.4.1, iOS iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1. An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

CVSS: MEDIUM (6.8)

EPSS Score: 0.25%

SSVC Exploitation: none

Source: CVE

April 16th, 2025 (about 2 months ago)

CVE-2021-20035

CISA Adds One Known Exploited Vulnerability to Catalog

🚨 Marked as known exploited on April 16th, 2025 (about 2 months ago).

Description: CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2021-20035 SonicWall SMA100 Appliances OS Command Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CVSS: MEDIUM (6.5)

Source: All CISA Advisories

April 16th, 2025 (about 2 months ago)

CVE-2025-21590

Junos OS: An local attacker with shell access can execute arbitrary code

🚨 Marked as known exploited on March 13th, 2025 (3 months ago).

Description: An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to compromise the integrity of the device. A local attacker with access to the shell is able to inject arbitrary code which can compromise an affected device. This issue is not exploitable from the Junos CLI. This issue affects Junos OS: * All versions before 21.2R3-S9, * 21.4 versions before 21.4R3-S10, * 22.2 versions before 22.2R3-S6, * 22.4 versions before 22.4R3-S6, * 23.2 versions before 23.2R2-S3, * 23.4 versions before 23.4R2-S4, * 24.2 versions before 24.2R1-S2, 24.2R2.

CVSS: MEDIUM (4.4)

EPSS Score: 5.1%

SSVC Exploitation: none

Source: CVE

March 12th, 2025 (3 months ago)

CVE-2025-24991

Windows NTFS Information Disclosure Vulnerability

🚨 Marked as known exploited on March 11th, 2025 (3 months ago).

Description: Out-of-bounds read in Windows NTFS allows an authorized attacker to disclose information locally.

CVSS: MEDIUM (5.5)

EPSS Score: 2.97%

SSVC Exploitation: active

Source: CVE

March 11th, 2025 (3 months ago)

CVE-2025-24984

Windows NTFS Information Disclosure Vulnerability

🚨 Marked as known exploited on March 11th, 2025 (3 months ago).

Description: Insertion of sensitive information into log file in Windows NTFS allows an unauthorized attacker to disclose information with a physical attack.

CVSS: MEDIUM (4.6)

EPSS Score: 19.24%

SSVC Exploitation: active

Source: CVE

March 11th, 2025 (3 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

	CVE-2025-4427, CVE-2025-4428: Ivanti Endpoint Manager Mobile (EPMM) Remote Code Execution 🚨 Marked as known exploited on May 13th, 2025 (21 days ago). Description: Remote code execution vulnerability in a popular mobile device management solution from Ivanti has been exploited in the wild in limited attacksBackgroundOn May 13, Ivanti released a security advisory to address a high severity remote code execution (RCE) and a medium severity authentication bypass vulnerability in its Endpoint Manager Mobile (EPMM) product, a mobile management software that can be used for mobile device management (MDM), mobile application management (MAM) and mobile content management (MCM).CVEDescriptionCVSSv3CVE-2025-4427Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability5.3CVE-2025-4428Ivanti Endpoint Manager Mobile Remote Code Execution Vulnerability7.2AnalysisCVE-2025-4427 is an authentication bypass vulnerability in Ivanti’s EPMM. An unauthenticated, remote attacker could exploit this vulnerability to gain access to the server’s application programming interface (API) that is normally only accessible to authenticated users.CVE-2025-4428 is a RCE in Ivanti’s EPMM. An authenticated attacker could exploit this vulnerability to execute arbitrary code on a vulnerable device.An attacker that successfully exploits these flaws could chain them together to execute arbitrary code on a vulnerable device without authentication. Both vulnerabilities are associated with open source libraries used by the EPMM software. Ivanti has indicated that these vulnerabilities have been exploited in the wild in a limited number of cases.Customers that restric... CVSS: MEDIUM (5.3) EPSS Score: 72.5% Source: Tenable Blog May 13th, 2025 (21 days ago)
CVE-2025-4427	Authentication Bypass 🚨 Marked as known exploited on May 13th, 2025 (21 days ago). Description: An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API. CVSS: MEDIUM (5.3) EPSS Score: 72.5% Source: CVE May 13th, 2025 (22 days ago)
	Verizon 2025 DBIR: Tenable Research Collaboration Shines a Spotlight on CVE Remediation Trends 🚨 Marked as known exploited on April 23rd, 2025 (about 1 month ago). Description: The 2025 Verizon Data Breach Investigations Report (DBIR) reveals that vulnerability exploitation was present in 20% of breaches — a 34% increase year-over-year. To support the report, Tenable Research contributed enriched data on the most exploited vulnerabilities. In this blog, we analyze 17 edge-related CVEs and remediation trends across industry sectors.BackgroundSince 2008, Verizon’s annual Data Breach Investigations Report (DBIR) has helped organizations understand evolving cyber threats. For the 2025 edition, Tenable Research contributed enriched data on the most exploited vulnerabilities of the past year. We analyzed over 160 million data points and zeroed-in on the 17 edge device CVEs featured in the DBIR to understand their average remediation times. In this blog, we take a closer look at these vulnerabilities, revealing industry-specific trends and highlighting where patching still lags — often by months.In this year’s DBIR, vulnerabilities in Virtual Private Networks (VPNs) and edge devices were particular areas of concern, accounting for 22% of the CVE-related breaches in this year’s report, almost eight times the amount of 3% found in the 2024 report.AnalysisThe 2025 DBIR found that exploitation of vulnerabilities surged to be one of the top initial access vectors for 20% of data breaches. This represents a 34% increase over last year’s report and is driven in part by the zero-day exploitation of VPN and edge device vulnerabilities – asset classes that tradit... CVSS: MEDIUM (6.0) Source: Tenable Blog April 23rd, 2025 (about 1 month ago)
	CVE-2025-24054 Under Active Attack—Steals NTLM Credentials on File Download 🚨 Marked as known exploited on April 18th, 2025 (about 2 months ago). Description: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a medium-severity security flaw impacting Microsoft Windows to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild. The vulnerability, assigned the CVE identifier CVE-2025-24054 (CVSS score: 6.5), is a Windows New Technology LAN Manager (NTLM) hash disclosure CVSS: MEDIUM (6.5) Source: TheHackerNews April 18th, 2025 (about 2 months ago)
	CISA Flags Actively Exploited Vulnerability in SonicWall SMA Devices 🚨 Marked as known exploited on April 17th, 2025 (about 2 months ago). Description: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a security flaw impacting SonicWall Secure Mobile Access (SMA) 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The high-severity vulnerability, tracked as CVE-2021-20035 (CVSS score: 7.2), relates to a case of operating system command injection CVSS: MEDIUM (6.5) Source: TheHackerNews April 17th, 2025 (about 2 months ago)
CVE-2025-31201	This issue was addressed by removing the vulnerable code. This issue is fixed in tvOS 18.4.1, visionOS 2.4.1, iOS iOS 18.4.1 and iPadOS 18.4.1,... 🚨 Marked as known exploited on April 17th, 2025 (about 2 months ago). Description: This issue was addressed by removing the vulnerable code. This issue is fixed in tvOS 18.4.1, visionOS 2.4.1, iOS iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1. An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS. CVSS: MEDIUM (6.8) EPSS Score: 0.25% SSVC Exploitation: none Source: CVE April 16th, 2025 (about 2 months ago)
CVE-2021-20035	CISA Adds One Known Exploited Vulnerability to Catalog 🚨 Marked as known exploited on April 16th, 2025 (about 2 months ago). Description: CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2021-20035 SonicWall SMA100 Appliances OS Command Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. CVSS: MEDIUM (6.5) Source: All CISA Advisories April 16th, 2025 (about 2 months ago)
CVE-2025-21590	Junos OS: An local attacker with shell access can execute arbitrary code 🚨 Marked as known exploited on March 13th, 2025 (3 months ago). Description: An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to compromise the integrity of the device. A local attacker with access to the shell is able to inject arbitrary code which can compromise an affected device. This issue is not exploitable from the Junos CLI. This issue affects Junos OS: * All versions before 21.2R3-S9, * 21.4 versions before 21.4R3-S10, * 22.2 versions before 22.2R3-S6, * 22.4 versions before 22.4R3-S6, * 23.2 versions before 23.2R2-S3, * 23.4 versions before 23.4R2-S4, * 24.2 versions before 24.2R1-S2, 24.2R2. CVSS: MEDIUM (4.4) EPSS Score: 5.1% SSVC Exploitation: none Source: CVE March 12th, 2025 (3 months ago)
CVE-2025-24991	Windows NTFS Information Disclosure Vulnerability 🚨 Marked as known exploited on March 11th, 2025 (3 months ago). Description: Out-of-bounds read in Windows NTFS allows an authorized attacker to disclose information locally. CVSS: MEDIUM (5.5) EPSS Score: 2.97% SSVC Exploitation: active Source: CVE March 11th, 2025 (3 months ago)
CVE-2025-24984	Windows NTFS Information Disclosure Vulnerability 🚨 Marked as known exploited on March 11th, 2025 (3 months ago). Description: Insertion of sensitive information into log file in Windows NTFS allows an unauthorized attacker to disclose information with a physical attack. CVSS: MEDIUM (4.6) EPSS Score: 19.24% SSVC Exploitation: active Source: CVE March 11th, 2025 (3 months ago)