CISA Warns Of Two Malware Strains Exploiting Ivanti EPMM CVE-2025-4427 And CVE-2025-4428

/ Daily Cyber News, Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a detailed advisory highlighting the discovery of two different malware strains that exploited security flaws in Ivanti Endpoint Manager Mobile (EPMM). The malicious activity was identified inside the network of an unnamed organization, where attackers leveraged vulnerabilities CVE-2025-4427 and CVE-2025-4428 to compromise systems.

How the Exploitation Took Place

According to CISA, each malware strain included custom loaders that deployed malicious listeners. These listeners allowed threat actors to execute arbitrary code on compromised servers.

  • CVE-2025-4427: An authentication bypass flaw that enables attackers to gain access to restricted resources.
  • CVE-2025-4428: A remote code execution (RCE) flaw that allows attackers to run code on the system.

By chaining these vulnerabilities together, attackers could execute commands on vulnerable devices without authentication. Ivanti had patched these flaws in May 2025, but attackers were already exploiting them as zero-days before the fixes were available.

Timeline of the Attack

CISA noted that attackers combined the two flaws around May 15, 2025, soon after a proof-of-concept (PoC) exploit was made public. Once inside the environment, the adversaries were able to:

  • Collect system and network information
  • Download and deploy additional malicious files
  • Browse the root directory
  • Execute scripts to create heapdumps
  • Dump LDAP credentials

These actions allowed the attackers to maintain persistence and prepare for extended malicious activity.

Malware Analysis Findings

During investigation, analysts identified two sets of malicious files placed inside the /tmp directory of the compromised server. Both sets were designed to provide long-term persistence by injecting and executing arbitrary code.

  • Set 1:
    • web-install.jar (Loader 1)
    • ReflectUtil.class
    • SecurityHandlerWanListener.class
  • Set 2:
    • web-install.jar (Loader 2)
    • WebAndroidAppInstaller.class

How They Work:

  • In Set 1, ReflectUtil.class manipulates Java objects to inject SecurityHandlerWanListener into Apache Tomcat. This malicious listener intercepts HTTP requests, decodes and decrypts payloads, then dynamically creates and executes new Java classes.
  • In Set 2, WebAndroidAppInstaller.class retrieves a password parameter from HTTP requests, decrypts it with a hard-coded key, and uses the results to create a new class. The output is then encrypted again before sending back a response, making it harder to detect.

The final impact of both methods is the same: attackers gain the ability to execute arbitrary code, intercept communications, maintain persistence, and exfiltrate sensitive data.

Security Recommendations

To mitigate risks linked to these vulnerabilities, CISA strongly recommends:

  1. Update Ivanti EPMM – Ensure all instances are patched to the latest version.
  2. Monitor Systems – Actively check logs for unusual activities or unexpected file changes.
  3. Restrict Access – Apply strict access controls to prevent unauthorized users from reaching MDM systems.
  4. Incident Response Preparedness – Have a plan to detect, contain, and remediate if exploitation attempts are suspected.

Organizations using Ivanti EPMM should prioritize these steps to reduce exposure to similar advanced malware campaigns.

Related Posts