The Cybersecurity and Infrastructure Security Agency (CISA) has released an in-depth analysis of malware utilized in attacks targeting two specific vulnerabilities within Ivanti Endpoint Manager Mobile (EPMM). These vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, were publicly disclosed on May 13, 2025, following their exploitation in real-world attacks.
Understanding the Vulnerabilities
CVE-2025-4427 is characterized as an authentication bypass flaw, while CVE-2025-4428 pertains to a remote code execution (RCE) issue. Both vulnerabilities reside in open-source libraries integrated into EPMM. When exploited in tandem, they allow unauthenticated attackers to execute arbitrary code on affected systems. The severity of these vulnerabilities is underscored by their CVSS scores of 5.3 and 7.2, respectively.
Timeline of Exploitation
Shortly after the vulnerabilities were made public, proof-of-concept (PoC) exploit code emerged, leading to a surge in exploitation attempts. By late May 2025, it was revealed that a threat actor linked to China, designated as UNC5221, had been actively leveraging these vulnerabilities in their attacks.
CISA’s Malware Analysis
CISA’s recent publication offers comprehensive details, indicators of compromise (IoCs), and detection methodologies for two distinct sets of malware—comprising five files in total—retrieved from a network compromised via a vulnerable Ivanti EPMM instance.
By chaining the aforementioned vulnerabilities, attackers gained unauthorized access to servers running EPMM. This access enabled them to execute remote commands aimed at:
– Gathering system information
– Enumerating the root directory
– Deploying malicious files
– Conducting network reconnaissance
– Executing scripts
– Extracting LDAP credentials
Malware Deployment and Functionality
The attackers introduced two sets of malware into the system’s temporary directory. Each set was designed to establish persistence, allowing the execution of arbitrary code on the compromised server.
Both malware sets comprised a loader and a malicious listener, facilitating the deployment and execution of arbitrary code. To circumvent signature-based detection mechanisms and size constraints, the malware was introduced in segmented parts.
First Malware Set:
This set included a manager component responsible for manipulating Java objects to inject the malicious listener into Apache Tomcat, which operates on the same server. The listener was programmed to intercept specific HTTP requests, process them, and subsequently decode and decrypt payloads to dynamically construct and execute new classes.
Second Malware Set:
The listener in this set was engineered to:
– Retrieve and decrypt password parameters from designated HTTP requests
– Define and load new malicious classes
– Encrypt and encode the output of these classes
– Generate appropriate responses
Recommendations and Mitigation Strategies
In light of these findings, CISA strongly advises organizations to:
– Update Ivanti EPMM: Ensure systems are upgraded to patched versions—specifically, versions 11.12.0.5, 12.3.0.2, 12.4.0.2, 12.5.0.1, or newer—which contain the necessary fixes.
– Implement Additional Security Measures: Apply further restrictions and monitoring protocols for mobile device management (MDM) systems to detect and prevent unauthorized access.
– Adhere to Cybersecurity Best Practices: Regularly review and follow established cybersecurity guidelines to bolster system defenses against potential threats.
Conclusion
The exploitation of vulnerabilities within Ivanti EPMM underscores the critical importance of timely software updates and vigilant monitoring. By understanding the nature of these threats and implementing recommended security measures, organizations can significantly reduce their risk exposure and enhance their overall cybersecurity posture.
