CISA's latest advisory report reveals critical vulnerabilities in Ivanti, MDaemon, Zimbra, and more. Patches are available for flaws like CVE-2025-4427 in Ivanti EPMM.

Multiple vulnerabilities have been detected in widely used software and systems, specifically in Ivanti Endpoint Manager Mobile (EPMM), MDaemon Email Server, Srimax Output Messenger, Synacor Zimbra Collaboration Suite (ZCS), and ZKTeco BioTime.

A new advisory by the Cybersecurity and Infrastructure Security Agency (CISA) highlights these vulnerabilities, which were identified through the Common Vulnerabilities and Exposures (CVE) naming system and assigned severity levels via the Common Vulnerability Scoring System (CVSS).

The CVEs listed in this advisory have been linked to several critical, high, and medium-risk vulnerabilities, with new patches available to address these flaws. Below is a detailed look at the specific CVEs listed by CISA.

Details of the Vulnerabilities

Ivanti Endpoint Manager Mobile Vulnerabilities (CVE-2025-4427 & CVE-2025-4428)

Ivanti has released updates to address two vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0, an organization-use platform for managing mobile devices.

• CVE-2025-4427 (Authentication Bypass) allows attackers to gain unauthorized access to protected resources without needing proper credentials. This vulnerability, rated as medium severity with a CVSS score of 5.3, can be exploited through the API of vulnerable systems.
• CVE-2025-4428 (Remote Code Execution) is a high-severity vulnerability with a CVSS score of 7.2. It enables attackers to execute arbitrary code on the target system by sending specially crafted API requests. Both vulnerabilities were discovered and disclosed on May 13, 2025, by Ivanti, who confirmed that a small number of customers had been impacted at the time of disclosure.

Ivanti has provided mitigation guidance for both vulnerabilities. The company recommends using the built-in Portal ACLs functionality or an external Web Application Firewall (WAF) to filter access to the API and reduce the risk of exploitation. In cases where further assistance is needed, Ivanti offers an RPM file for customers, which can be installed by following a detailed guide.

MDaemon Email Server (CVE-2024-11182)

A cross-site scripting (XSS) vulnerability has been discovered in versions of MDaemon Email Server prior to 24.5.1c. Identified as CVE-2024-11182, this vulnerability, with a medium severity CVSS score of 5.3, allows an attacker to inject malicious JavaScript into email messages. When users interact with these emails, the malicious code executes in the context of their browser, potentially leading to unauthorized access or data leakage.

Notably, this vulnerability has been exploited in cyber-espionage campaigns, with the Russian state-sponsored group APT28 leveraging it as part of their Operation Round Press. This highlights the real-world threat posed by this flaw.

Organizations using MDaemon Email Server are urged to apply the patch available for version 24.5.1c to prevent potential exploitation.

Srimax Output Messenger (CVE-2025-27920)

A directory traversal vulnerability, CVE-2025-27920, has been discovered in Srimax Output Messenger versions prior to 2.0.63. This vulnerability, rated high with a CVSS score of 7.2, allows attackers to access sensitive files outside the intended directory by exploiting improper file path handling.

The flaw has been actively exploited by the Turkish-affiliated threat group Marbled Dust since April 2024. The group has targeted entities associated with the Kurdish military in Iraq, using the vulnerability to deliver malicious payloads and exfiltrate sensitive data. Organizations using vulnerable versions of Output Messenger are strongly advised to update to version 2.0.63 or later to mitigate this risk.

Synacor Zimbra Collaboration Suite (CVE-2024-27443)

Zimbra Collaboration Suite (ZCS) versions 9.0 and 10.0 are vulnerable to a cross-site scripting (XSS) issue identified as CVE-2024-27443. The flaw, with a CVSS score of 6.1, lies in the CalendarInvite feature of the webmail interface.

Attackers can exploit this vulnerability by embedding a crafted calendar header containing malicious JavaScript in an email. The header will then execute when the recipient views the message in Zimbra’s classic webmail interface.

Like the MDaemon Email Server vulnerability, CVE-2024-27443 has been exploited by APT28 in the same cyber-espionage campaign.

ZKTeco BioTime (CVE-2023-38950)

ZKTeco BioTime v8.5.5 contains a path traversal vulnerability, CVE-2023-38950, that allows unauthenticated attackers to read arbitrary files by sending a specially crafted payload. This high-severity vulnerability, with a CVSS score of 7.5, has been actively exploited by Iranian state-sponsored hackers targeting critical infrastructure in the Middle East.

As with other vulnerabilities in this advisory, organizations using ZKTeco BioTime are advised to apply the available patches and use Cyble’s ODIN scanner to check whether their systems are internet-facing, which increases the risk of exploitation.

Conclusion

The vulnerabilities highlighted in this security advisory are not hypothetical—they are actively exploited in the wild. Featured in CISA’s Known Exploited Vulnerabilities (KEV) catalog, they demand immediate action to protect systems and data from potential breaches.

Organizations should apply the latest patches to affected systems like Ivanti EPMM, MDaemon Email Server, Output Messenger, Zimbra, and ZKTeco BioTime, and utilize Cyble’s ODIN scanner to check for exposed assets.

References

• https://www.cisa.gov/news-events/alerts/2025/05/19/cisa-adds-six-known-exploited-vulnerabilities-catalog
• https://www.cve.org/CVERecord?id=CVE-2025-4427
• https://www.cve.org/CVERecord?id=CVE-2025-4428
• https://www.cve.org/CVERecord?id=CVE-2024-11182
• https://www.cve.org/CVERecord?id=CVE-2025-27920
• https://www.cve.org/CVERecord?id=CVE-2024-27443
• https://www.cve.org/CVERecord?id=CVE-2023-38950

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.