U.S. CISA adds Ivanti EPMM, MDaemon Email Server, Srimax Output Messenger, Zimbra Collaboration, and ZKTeco BioTime flaws to its Known Exploited Vulnerabilities catalog
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti EPMM, MDaemon Email Server, Srimax Output Messenger, Zimbra Collaboration, and ZKTeco BioTime flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Google Chromium, DrayTek routers, and SAP NetWeaver flaws to its Known Exploited Vulnerabilities (KEV) catalog. Below are the descriptions […]
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ivanti EPMM, MDaemon Email Server, Srimax Output Messenger, Zimbra Collaboration, and ZKTeco BioTime flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Google Chromium, DrayTek routers, and SAP NetWeaver flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the descriptions for these flaws:
- CVE-2025-4427 Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability
- CVE-2025-4428 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
- CVE-2024-11182 (CVSS score: 5.3) MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability. A remote attacker can trigger the flaw by sending an HTML e-mail message with JavaScript in an img tag. This could allow the attacker to load arbitrary JavaScript code in the context of a webmail user’s browser window.
- CVE-2025-27920 (CVSS score: 7.2) Srimax Output Messenger Directory Traversal Vulnerability that allows attackers to access files outside the intended directory using
../sequences. - CVE-2024-27443 (CVSS score: 6.1) Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability. The issue is due to improper input validation. An attacker can use crafted email with a malicious calendar header to trigger JavaScript execution when viewed in the classic webmail interface, risking session hijacking or other attacks.
- CVE-2023-38950 ZKTeco BioTime Path Traversal Vulnerability. An unauthenticated attacker can exploit the flaw to read arbitrary files via supplying a crafted payload.
In mid-May, Ivanti released security updates to address vulnerabilities CVE-2025-4427 and CVE-2025-4428, in Endpoint Manager Mobile (EPMM) software. The company confirmed that threat actors have chained the flaws in limited attacks to gain remote code execution.
Below is their description:
- CVE-2025-4427 (CVSS score: 5.3) – An authentication bypass in Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials.
- CVE-2025-4428 (CVSS score: 7.2) – A remote code execution vulnerability in Endpoint Manager Mobile allowing attackers to execute arbitrary code on the target system.
CERT-EU reported both vulnerabilities to the software firm. The company confirmed that threat actors could chain the two vulnerabilities to achieve remote code execution without authentication.
The vulnerabilities have been addressed with versions 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1.
The vulnerabilities affect two unnamed open-source libraries used in EPMM, the company pointed out that they don’t reside in their code. The company is still investigating the attacks, however, it does not have “reliable atomic indicators” at the time of this writing.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by June 9, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
