Unauthorized access granted through Ivanti EPMM permits nefarious entities to install surreptitious monitoring software, according to CISA's statement.
In a recent cybersecurity incident, an unknown attacker successfully exploited two zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The intrusion occurred around May 15, shortly after a proof-of-concept exploit became available.
The attacker chained both CVEs to run malware on and hijack vulnerable deployments of EPMM. CVE-2025-4427 is an authentication bypass vulnerability, while CVE-2025-4428 is a post-authentication remote code execution (RCE) flaw.
Malware set 1, delivered to the victim machine, consists of three malicious files: web-install.jar, ReflectUtil.class, and SecurityHandlerWanListener.class. ReflectUtil.class intercepts specific HTTP requests, decodes and decrypts payloads, and creates a new class that the attackers can execute to run arbitrary code. The delivered malware loads ReflectUtil.class, which injects and manages the malicious listener SecurityHandlerWanListener in Apache Tomcat.
Malware set 2, found in the investigation, contains web-install.jar and WebAndroidAppInstaller.class. WebAndroidAppInstaller.class intercepts and processes specific HTTP requests, steals password parameters, defines and loads a new malicious class, encrypts the new class output, and generates a response.
CISA (Cybersecurity and Infrastructure Security Agency) urged organizations to upgrade to the latest Ivanti EPMM version and treat mobile device management (MDM) systems as high-value assets. They also warned large organizations and government entities to be on the lookout for suspicious activity targeting these two Ivanti EPMM bugs for attacks.
CISA published indicators of compromise (IOCs) associated with this malware. However, they declined to comment beyond the report. Darktrace, the organization that reported the investigation, detected and analyzed the attack.
The attacker delivered the malware in segments, splitting both loaders into multiple Base64-encoded segments and delivering each via separate HTTP GET requests. This method was likely used to evade detection and analysis.
CISA's warning comes as a reminder for organizations to stay vigilant against such cyber threats and to ensure their systems are up-to-date with the latest security patches. It is crucial to prioritize cybersecurity measures, especially when dealing with high-value assets like MDM systems.
Read also:
- Strengthening Defense against Multi-faceted menaces in the Age of Authority-driven Technology
- Industries Under Jeopardy Due to Multi-Accounting: Prevention Strategies Revealed in 2024
- Web3 Esports undergoes transformation as Aylab and CreataChain collaborate for a radical change
- Latest Tech Highlights: Top Gadgets of March 2025
