Australia’s intelligence agency is warning organizations about several new Ivanti zero-days chained for remote code execution (RCE) attacks. The vendor itself has said the vulns are linked to two mystery open source libraries which it declined to name.

The Australian Signals Directorate (ASD) issued a critical warning about CVE-2025-4427 (5.3) and CVE-2025-4428 (7.2) earlier today. Individually, the two bugs seem fairly unalarming, but together they can be, and have been, used to exploit Ivanti customers.

“We are aware of a very limited number of customers whose solution has been exploited at the time of disclosure,” said Ivanti in its advisory, which was released alongside the patches for Ivanti Endpoint Manager Mobile (EPMM).

EPMM is used by Ivanti customers to manage company-issued devices and applications on those devices, while providing secure access to sensitive or confidential content such as company documents.

Although EPMM can be used by all types of organizations, the ASD’s advisory stated that the information was intended for large organizations and government entities, suggesting the EPMM vulnerabilities are less likely to affect smaller companies.

The affected EPMM versions include:

• 11.12.0.4 and earlier
• 12.3.0.1 and earlier
• 12.4.0.1 and earlier
• 12.5.0.0 and earlier

All four series of the software have patches available, but if customers can’t apply them right away, they can mitigate the threat of chained attacks by filtering access to the API using either the Portal ACLs functionality or via an external WAF, Ivanti said.

If customer are concerned about whether they are compromised or not, Ivanti urged them to contact its support team in lieu of providing indicators of compromise.