Date: 2025-04-25
A critical zero-day vulnerability (CVE-2025-12345) in Ivanti Endpoint Manager (EPM) was exploited to deploy LockBit 4.0 ransomware across supply chain vendors, affecting over 1,200 organizations globally. The attackers leveraged compromised IT management software to push malicious updates to downstream clients.
Affected Systems:
– Ivanti EPM versions 2022.3 through 2025.1
– Windows/Linux endpoints managed via Ivanti
– Third-party logistics and manufacturing vendors
April 23, 2025 (08:00 UTC):
Attackers infiltrated Ivanti’s internal build servers using stolen code-signing certificates, injecting malware into legitimate EPM patches. The campaign began with spear-phishing emails targeting DevOps teams at Ivanti’s third-party contractors.
April 23, 2025 (14:30 UTC):
Malicious updates were distributed via Ivanti’s automated patch management system. Early victims included European automotive manufacturers and Asian electronics suppliers.
April 24, 2025 (03:15 UTC):
LockBit 4.0 payloads executed on endpoints, encrypting files and exfiltrating data via Tor-based C2 servers. Ransom notes demanded payments in Monero (XMR) to avoid public leaks.
April 24, 2025 (11:00 UTC):
Ivanti issued an emergency patch (v2025.1 Hotfix 2), but lateral movement had already compromised VPN gateways at victim sites using Pass-the-Hash attacks.
ivantictl.exe) for privilege escalation.
Affected Organizations: ~1,200 across 18 countries
Financial Losses: Estimated $320M in downtime/ransoms
Data Leaked: >45TB of proprietary designs/contracts
Sectors hit hardest: Automotive, Aerospace, and Semiconductor manufacturing.
Our Endpoint Detection & Response (EDR) deployments blocked LockBit 4.0 by:
– Detecting anomalous ivantictl.exe process trees (Behavioral AI Model #CYB-X9).
– Enforcing certificate pinning to prevent fake update injections (Cyberonix Secure Update Gateway).