A sophisticated Chinese cyber espionage group, identified as UNC5221, has been exploiting recently patched vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software to infiltrate organizations across Europe, North America, and the Asia-Pacific region. The targeted sectors include healthcare, telecommunications, aviation, municipal government, finance, and defense.
Understanding the Vulnerabilities
The exploited vulnerabilities, designated as CVE-2025-4427 and CVE-2025-4428, were addressed by Ivanti in May 2025. These flaws, with CVSS scores of 5.3 and 7.2 respectively, can be combined to allow unauthenticated attackers to execute arbitrary code on vulnerable devices. This exploitation enables threat actors to gain unauthorized access, manipulate configurations, and potentially compromise thousands of managed mobile devices within an organization.
UNC5221’s Exploitation Tactics
UNC5221 has demonstrated a deep understanding of EPMM’s internal architecture, repurposing legitimate system components for covert data exfiltration. The attack sequence involves targeting the /mifs/rs/api/v2/ endpoint to obtain an interactive reverse shell, allowing remote execution of arbitrary commands on Ivanti EPMM deployments. Following this, the group deploys KrustyLoader, a Rust-based loader attributed to UNC5221, which facilitates the delivery of additional payloads like Sliver.
The threat actors have also been observed targeting the mifs database by utilizing hard-coded MySQL database credentials stored in /mi/files/system/.mifpp to gain unauthorized access. This access enables them to exfiltrate sensitive data, providing visibility into managed mobile devices, LDAP users, and Office 365 refresh and access tokens.
Advanced Techniques and Tools
UNC5221 employs obfuscated shell commands for host reconnaissance before deploying KrustyLoader from an AWS S3 bucket. They also use Fast Reverse Proxy (FRP), an open-source tool widely shared among Chinese hacking groups, to facilitate network reconnaissance and lateral movement. Additionally, the group has been linked to Auto-Color, a Linux backdoor used in attacks targeting universities and government organizations in North America and Asia between November and December 2024.
Implications for Global Security
The exploitation of these vulnerabilities underscores the persistent threat posed by state-sponsored cyber espionage groups. Organizations using Ivanti EPMM are urged to apply the latest patches promptly and conduct thorough security assessments to detect and mitigate potential breaches. Implementing robust monitoring and incident response strategies is crucial to defend against such sophisticated attacks.
