The article looks back at the 2025 attacks on Ivanti Endpoint Manager Mobile (EPMM), a mobile device management (MDM) platform that can enforce security policies and control access to corporate services on enrolled phones and tablets. Because EPMM is so privileged, a compromise can quickly become “enterprise-wide control”: attackers can use it like a command-and-control hub to manage devices, change settings, and extend their reach across an organization. The campaign began in April 2025 when attackers chained two zero-day vulnerabilities (CVE-2025-4427 and CVE-2025-4428) for remote code execution; Ivanti released patches on May 13, and after a proof-of-concept was published, exploitation surged—helped by patching lag. EclecticIQ’s analysis mapped thousands of affected organizations (especially in Europe) across sectors including healthcare, government, telecom, and financial services, and it attributed the activity with high confidence to a China-nexus APT, with other actors following on.

It then explains why these intrusions were so damaging and what defenders should learn. After gaining access, attackers used common steps—dropping shells, hunting configuration files, and pulling credentials—to get into EPMM’s database and encryption keys; in the reported cases, some sensitive credentials were stored in plain text, enabling decryption of protected data. From there, attackers could access rich user and directory information (names, roles, email addresses, device details, and sometimes cloud access tokens), making follow-on compromise and targeted social engineering much easier. The author’s main takeaway is that zero-days will keep happening, so organizations should treat Internet-facing management platforms as top threat-modeling priorities and add detection for “legitimate feature abuse” (malicious actions that look like normal admin activity), rather than relying on patching alone.

Source: https://www.darkreading.com/cyber-risk/sunken-ships-ivanti-epmm-attacks