BSI Warns Against Unpatched Ivanti Systems
7 Min. Read Time
Two Ivanti EPMM zero-days were exploited in series at the end of April 2026 – 130 unique IP addresses actively tested the vulnerabilities within 24 hours after disclosure. BSI, CISA, and NHS England issued parallel warnings. Immediate action is mandatory for KRITIS operators, authorities, and organizations with productive MDM environments based on Ivanti.
Key Takeaways
- Two zero-days in Ivanti EPMM. CVE-2025-4427 (Authentication Bypass, CVSS 9.8) and CVE-2025-4428 (Remote Code Execution via API). In combination, they enable unauthenticated RCE without user interaction.
- 130 IPs exploit within 24h. Shadowserver Foundation documented 130 unique attacker IPs within 24 hours after disclosure. Exploit code is publicly available.
- BSI warning 2026-221601-1032 active. The BSI issued its own highest-priority warning. NHS England and CISA released parallel warnings.
- KRITIS-MDM particularly affected. Ivanti EPMM is used in authorities, hospitals, and KRITIS operators for Mobile Device Management. A compromised MDM server gives attackers access to all managed devices.
What is Ivanti EPMM? Ivanti Enterprise Mobility Management (EPMM) is an on-premises MDM platform that organizations use centrally for managing, configuring, and securing mobile endpoints. EPMM controls device access, app deployment, VPN profiles, and certificate distribution for all connected smartphones, tablets, and laptops within an organization.
Related: CISA KEV April 2026: Samsung MagicINFO, SimpleHelp, and D-Link under active exploitation
The Vulnerabilities in Detail: Authentication Bypass Leads to RCE
CVE-2025-4427 is an Authentication Bypass in the Ivanti EPMM REST API. The vulnerability allows attackers to access API endpoints that normally require authentication – without valid credentials. CVSS score 9.8, classified as critical. All EPMM versions prior to the April 30, 2026 patch are affected.
CVE-2025-4428 is a Remote Code Execution vulnerability that can be exploited via the REST API. On its own, it has limited impact – but combined with CVE-2025-4427, the attack chain is complete: bypass authentication, then achieve RCE on the EPMM server. This combination enables unauthenticated code execution on the MDM server without any user interaction.
What makes the situation particularly dangerous: Ivanti released the patches on April 30. Exploit code was publicly available within hours, according to the Shadowserver Foundation. 130 unique IP addresses attempted active exploitation – within the first 24 hours after disclosure.
Three-Step Attack Chain
Step 1
Authentication Bypass via CVE-2025-4427 – no account required
Step 2
RCE via CVE-2025-4428 through REST API as authenticated user
Step 3
Full access to MDM server – all managed devices reachable
Ivanti EPMM: A Repeat Offender – Vulnerability History
This isn’t Ivanti’s first critical incident. In 2024, Ivanti Connect Secure and Policy Secure were heavily affected – multiple zero-days were actively exploited before patches were available. The US CISA had to issue an Emergency Directive, instructing federal agencies to immediately disconnect the systems from the network.
The pattern repeats with EPMM in 2026 – with one crucial difference: the exploitation speed has increased. 24 hours from disclosure to 130 documented attacker IPs is exceptionally fast and suggests prepared exploit kits or coordinated threat actors. The CISA KEV Catalog immediately added both CVEs.
The BSI, in its warning 2026-221601-1032, explicitly highlighted the relevance for German KRITIS operators. The warning is considered a standalone Priority 1 warning and is not just a forwarding of the CISA recommendation – indicating that the BSI has its own insights into potentially affected German systems.
KRITIS Relevance: Why MDM Infrastructure is Critical
Ivanti EPMM is widely used in Germany as a Mobile Device Management solution for government agencies, healthcare facilities, and KRITIS operators. A compromised MDM server is not an isolated issue – it’s the central control system for all managed mobile endpoints within an organization.
What attackers can achieve with access to the MDM server: push configuration profiles to devices (VPN, email, certificates), manage apps on all devices, remotely wipe or lock devices, extract network access credentials configured on devices. For KRITIS operators, this means: a compromised MDM server is a gateway to all managed endpoints – and potentially to the network behind them.
NHS England was identified as one of the first affected systems. In Germany, the BSI issued warning 2026-221601-1032, urging Ivanti EPMM operators to conduct an immediate review. NIS2 Article 21 obliges affected organizations to promptly remediate known critical vulnerabilities. Those who haven’t patched the vulnerability and find signs of compromise are subject to the NIS2 reporting obligation with a 24-hour early warning.
What MDM Operators Need to Do Now
Immediate Action
- Patch Ivanti EPMM to the current version (patches available since April 30, 2026)
- Remove EPMM server from the internet if it can’t be patched immediately
- Check REST API logs for unexpected requests (last 30 days)
- Compare Indicators of Compromise from BSI warning
Medium-term Hardening
- Restrict EPMM management interface to a dedicated management VLAN
- Limit API access to known admin IPs
- Set up SIEM alert for unusual MDM API calls
- Review incident response plan for MDM compromise
For organizations that cannot patch EPMM immediately, immediate network segmentation is the only acceptable workaround. Leaving the management port accessible via the public internet is not a viable option with known active exploitation. KRITIS operators should also check if EPMM is listed as a critical infrastructure component in their reporting catalog.
Fact sources: Ivanti Security Advisory, BSI warning 2026-221601-1032, Shadowserver Foundation April 2026, CISA KEV Catalog.
Frequently Asked Questions
Which Ivanti EPMM versions are affected by the zero-days?
CVE-2025-4427 and CVE-2025-4428 affect all Ivanti EPMM versions prior to the patch release on April 30, 2026. Ivanti has released patches for all supported branches. Versions no longer in support will not receive a patch – immediate network segmentation or migration is the only option.
How does this warning differ from previous Ivanti warnings?
Ivanti products were already under active exploitation in 2024 and 2025 (Connect Secure, Policy Secure). The difference with EPMM 2026: the exploitation was unusually fast (24h), the impact on MDM infrastructure is particularly far-reaching, and the simultaneous warnings from BSI, CISA, and NHS England indicate coordinated observation.
What are the Indicators of Compromise (IoC) for CVE-2025-4427/4428?
The specific IoCs are listed in BSI warning 2026-221601-1032 and in the Ivanti Security Advisory. Unusual access to authentication-required endpoints without valid session tokens should be noticeable in the REST API logs. Shadowserver also provides an IP list of known attacker addresses.
Do KRITIS operators need to report the incident?
If the vulnerability was exploited (signs of compromise), NIS2 reporting is mandatory: early warning to BSI within 24 hours of detection, full report within 72 hours. If there’s no indication of successful exploitation but the vulnerability exists, reporting is not required – but proof of patching measures is recommended.
How can I check if my EPMM server has already been compromised?
Analyze REST API access logs for requests to protected endpoints without valid session tokens, unknown IP addresses, or unusual timestamps (e.g., 3-5 am). Check for new admin accounts, unauthorized configuration changes, and new certificates rolled out via EPMM. BSI and Ivanti provide IoC lists that should be compared against log files.
Title image source: Pexels | Fact basis: Ivanti Advisory, BSI, CISA, Shadowserver Foundation
