On September 18, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a critical alert regarding the discovery of two distinct malware strains within an unnamed organization’s network. These malicious programs exploited specific vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), identified as CVE-2025-4427 and CVE-2025-4428.
Understanding the Vulnerabilities
CVE-2025-4427 is an authentication bypass flaw that allows unauthorized access to protected resources. CVE-2025-4428 is a remote code execution vulnerability. When combined, these vulnerabilities enable attackers to execute arbitrary code on affected devices without authentication. Ivanti addressed these issues in May 2025, but prior to the patches, they were actively exploited as zero-day vulnerabilities.
Details of the Attack
According to CISA, around May 15, 2025, threat actors leveraged these vulnerabilities to infiltrate a server running EPMM. This breach occurred shortly after a proof-of-concept exploit was made public. Once inside, the attackers executed commands to:
– Gather system information
– Download malicious files
– List the root directory
– Map the network
– Create a heap dump
– Extract Lightweight Directory Access Protocol (LDAP) credentials
Malware Deployment and Functionality
Further investigation revealed that the attackers deployed two sets of malicious files in the /tmp directory, each designed to maintain persistence and facilitate arbitrary code execution on the compromised server:
– Set 1:
– `web-install.jar` (Loader 1)
– `ReflectUtil.class`
– `SecurityHandlerWanListener.class`
– Set 2:
– `web-install.jar` (Loader 2)
– `WebAndroidAppInstaller.class`
Both sets include a loader that initiates a malicious Java class listener. This listener intercepts specific HTTP requests, decodes and decrypts payloads, and executes them.
Technical Breakdown
– Set 1:
– `ReflectUtil.class` manipulates Java objects to inject and manage the `SecurityHandlerWanListener` within Apache Tomcat.
– `SecurityHandlerWanListener.class` acts as a malicious listener, intercepting specific HTTP requests, decoding and decrypting payloads, and dynamically creating and executing new classes.
– Set 2:
– `WebAndroidAppInstaller.class` retrieves and decrypts a password parameter from incoming requests using a hard-coded key.
– The decrypted content defines and implements a new class, which is then executed.
– The execution result is encrypted with the same hard-coded key and sent back as a response.
These mechanisms allow attackers to inject and execute arbitrary code on the server, maintain persistence, and exfiltrate data by intercepting and processing HTTP requests.
Recommendations for Mitigation
To protect against such attacks, organizations should:
– Update Software: Ensure that all instances of Ivanti EPMM are updated to the latest version to patch known vulnerabilities.
– Monitor Systems: Regularly check for signs of suspicious activity, such as unexpected system behavior or unauthorized access attempts.
– Restrict Access: Implement necessary restrictions to prevent unauthorized access to mobile device management (MDM) systems.
By taking these proactive measures, organizations can significantly reduce the risk of exploitation and enhance their overall cybersecurity posture.
