The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding active exploitation of vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) systems. Threat actors are leveraging two specific vulnerabilities—CVE-2025-4427 and CVE-2025-4428—to deploy advanced malware, enabling unauthorized access and remote code execution on affected servers.
Background on Ivanti EPMM Vulnerabilities
Ivanti EPMM, formerly known as MobileIron, is a mobile device management solution widely used by organizations to secure and manage mobile devices. On May 13, 2025, Ivanti disclosed two critical vulnerabilities:
– CVE-2025-4427: An authentication bypass vulnerability that allows unauthenticated attackers to access protected resources without valid credentials.
– CVE-2025-4428: A code injection vulnerability enabling attackers to execute arbitrary code on the target system.
These vulnerabilities affect all versions of Ivanti EPMM up to and including 12.5.0.0. Ivanti released patches to address these issues; however, exploitation began shortly after the disclosure, around May 15, 2025, following the publication of proof-of-concept code.
Details of the Exploitation
Threat actors have been observed chaining CVE-2025-4427 and CVE-2025-4428 to gain unauthorized access to EPMM deployments. By targeting the `/mifs/rs/api/v2/` endpoint with HTTP GET requests and using the `?format=` parameter, attackers can send malicious remote commands. This method allows them to:
– Collect system information
– Download and execute malicious payloads
– Enumerate network resources
– Extract Lightweight Directory Access Protocol (LDAP) credentials
CISA’s analysis revealed two distinct sets of malware used in these attacks, each containing loaders and malicious listeners designed to maintain persistent access to compromised systems. The first set includes components such as `web-install.jar`, `ReflectUtil.class`, and `SecurityHandlerWanListener.class`, while the second set comprises `web-install.jar` and `WebAndroidAppInstaller.class`.
Advanced Evasion Techniques
The attackers employ sophisticated evasion techniques to bypass security controls. Instead of uploading complete malicious files, they segment their payloads into multiple Base64-encoded chunks, transmitting each segment through separate HTTP requests. This approach helps circumvent signature-based detection systems and avoids file size limitations that might prevent successful malware deployment.
Technical Breakdown of the Attack
The attack begins with Java Expression Language (EL) injection techniques that create malicious JAR files in the `/tmp` directory through a methodical chunk-based reconstruction process. Attackers craft HTTP GET requests containing Java EL injection code that creates `FileOutputStream` objects to write Base64-decoded malware segments directly to the target system. The malicious request structure follows this pattern:
“`
GET /mifs/rs/api/v2/featureusage?format=${getClass().forName(java.io.FileOutputStream).getConstructor(.getClass(),.getClass().forName([Z).getComponentType()).newInstance(/tmp/web-install.jar,true).write(.getClass().forName(java.util.Base64).getMethod(getDecoder).invoke(null).decode([BASE64_ENCODED_PAYLOAD]))}
“`
This method allows the attacker to write and execute arbitrary code on the compromised server.
Recommendations for Mitigation
Organizations using Ivanti EPMM should take immediate action to mitigate these risks:
1. Apply Patches Promptly: Ensure that all EPMM systems are updated to the latest versions that address CVE-2025-4427 and CVE-2025-4428.
2. Monitor for Indicators of Compromise (IoCs): Review system logs for unusual activity, such as unexpected HTTP GET requests to the `/mifs/rs/api/v2/` endpoint or the presence of unfamiliar JAR files in the `/tmp` directory.
3. Enhance Network Security Measures: Implement network segmentation and access controls to limit exposure of EPMM systems to potential attackers.
4. Conduct Regular Security Audits: Perform periodic security assessments to identify and remediate vulnerabilities within your infrastructure.
Conclusion
The exploitation of Ivanti EPMM vulnerabilities underscores the importance of timely patching and vigilant monitoring of enterprise systems. By understanding the attack vectors and implementing recommended security measures, organizations can better protect their infrastructure against sophisticated cyber threats.
