The Cybersecurity and Infrastructure Security Agency (CISA) has issued a serious warning about ongoing malware campaigns targeting Ivanti Endpoint Manager Mobile (EPMM) platforms.
Threat actors are actively exploiting two critical security flaws, CVE-2025-4427 and CVE-2025-4428, enabling complete system compromise and arbitrary code execution on affected servers.
These attacks started shortly after Ivanti publicly disclosed the vulnerabilities on May 13, 2025, with exploitation observed as early as May 15, 2025, following the release of proof-of-concept code. The vulnerabilities affect all versions of Ivanti EPMM, including 11.12.0.4 and earlier, 12.3.0.1 and earlier, 12.4.0.1 and earlier, and 12.5.0.0 and earlier, exposing organizations relying on mobile device management infrastructure to significant risk.
Cybercriminals are combining CVE-2025-4427, an authentication bypass vulnerability, with CVE-2025-4428, a code injection flaw, to gain unauthorized access to EPMM deployments. Once inside, attackers target the /mifs/rs/api/v2/ endpoint using HTTP GET requests with malicious commands embedded in the ?format= parameter. This allows them to collect system information, download payloads, enumerate network resources, and extract LDAP credentials.
CISA analysts have identified two separate malware families used in these attacks, each including sophisticated loaders and listeners to maintain persistent access.
Malware Components Overview
- Set 1: Loader 1 (
web-install.jar),ReflectUtil.class,SecurityHandlerWanListener.class - Set 2: Loader 2 (
web-install.jar),WebAndroidAppInstaller.class
Attackers employ advanced evasion methods, splitting payloads into multiple Base64-encoded chunks sent via separate HTTP requests. This approach avoids detection by signature-based security tools and bypasses file size restrictions.
Technical Deployment Details
The malware uses Java Expression Language (EL) injection to create malicious JAR files in the /tmp directory, reconstructed from chunked Base64 segments delivered through HTTP GET requests.
Once deployed, Set 1 operates in three stages: Loader 1 dynamically loads ReflectUtil.class, which injects SecurityHandlerWanListener into Apache Tomcat, bypassing Java Development Kit restrictions. The listener monitors specific HTTP requests containing a predefined token, decrypts Base64-encoded payloads using AES encryption, and dynamically executes malicious code.
Set 2 follows a simpler but equally effective method. Loader 2 loads WebAndroidAppInstaller.class, intercepting HTTP requests with application/x-www-form-urlencoded headers, extracting parameters, decoding Base64, and decrypting payloads with AES using the hard-coded key 3c6e0b8a9c15224a.
| Vulnerability | CWE Classification | Attack Vector | CVSS Impact |
|---|---|---|---|
| CVE-2025-4427 | Authentication Bypass Using Alternate Path | Remote | High/High/High |
| CVE-2025-4428 | Code Injection | Remote | High/High/High |
| Malware Component | Size (bytes) | Primary Function | Encryption Method |
|---|---|---|---|
Loader 1 (web-install.jar) | 30,996 | Loads ReflectUtil.class | Base64 |
| ReflectUtil.class | 11,886 | Injects SecurityHandlerWanListener | gzip |
| SecurityHandlerWanListener.class | 4,690 | Intercepts HTTP requests | AES (key: 7c6a8867d728c3bb) |
| WebAndroidAppInstaller.class | 16,120 | Payload processing | AES (key: 3c6e0b8a9c15224a) |
Organizations are urged to update Ivanti EPMM to the latest patched versions immediately and enhance monitoring for mobile device management systems, treating them as high-value assets requiring continuous security oversight.
