CISA Alerts of Hackers Targeting Ivanti Endpoint Manager Mobile Vulnerabilities to Distribute Malware

Cyber threat actors have weaponized two critical Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities—CVE-2025-4427 and CVE-2025-4428—to deploy sophisticated malicious loaders and listeners on compromised servers.

The malware consists of two sets of components: Loader 1 (web-install.jar, ReflectUtil.class, SecurityHandlerWanListener.class) and Loader 2 (web-install.jar, WebAndroidAppInstaller.class), both designed to inject arbitrary code and maintain persistence on Apache Tomcat deployments.

CISA obtained five malware files from an organization compromised via CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (code injection) in Ivanti EPMM.

Attackers exploited the /mifs/rs/api/v2/ endpoint by chaining HTTP GET requests with a format parameter to deliver Base64-encoded chunks, reconstruct JAR files in /tmp, and load malicious Java classes.

Once deployed, these classes intercept HTTP requests bearing specific headers or payloads to decode, decrypt, and execute arbitrary code.

Organizations running Ivanti EPMM versions 11.12.0.4 and prior, 12.3.0.1 and prior, 12.4.0.1 and prior, or 12.5.0.0 and prior should upgrade immediately.

Ivanti EPMM versions 11.12.0.4 and earlier, 12.3.0.1 and earlier, 12.4.0.1 and earlier, and 12.5.0.0 and earlier. Ivanti released patches and publicly disclosed both vulnerabilities on May 13, 2025. CISA added these CVEs to its Known Exploited Vulnerabilities Catalog on May 19, 2025.

Key Actions

Detect activity by deploying provided indicators of compromise (IOCs) and YARA and SIGMA detection rules.

Prevent exploitation by upgrading to the latest Ivanti EPMM release and treating MDM systems as high-value assets with heightened restrictions and monitoring.

Downloadable IOCs: MAR-251126.r1.v1.CLEAR (STIX 2.0 JSON). Detection signatures include CISA-created YARA rules for both loaders and listeners, and a SIGMA rule (AR25-260A/B SIGMA YAML) to identify suspicious HTTP GET requests, class names, file hashes, and network artifacts.

Loader 1’s JAR file hosts ReflectUtil.class, which injects a malicious listener (SecurityHandlerWanListener) into Apache Tomcat by bypassing JDK module restrictions, decoding a Base64-encoded, gzip-compressed listener class, and adding it to the servlet listener list.

SecurityHandlerWanListener intercepts HTTP requests containing a specific pass string, Referer header, and payload, then decodes and AES-decrypts Base64 payloads to define and execute new classes on the server, enabling arbitrary code execution and data exfiltration.

Loader 2’s JAR file masquerades WebAndroidAppInstaller.class as part of com.mobileiron.service.

The Base64 string:

1. It first uses sun.misc.BASE64Decoder to call decodeBuffer.
2. If the first attempt fails, it uses java.util.Base64 to call getDecoder.

The listener validates requests with content type application/x-www-form-urlencoded, extracts a Base64-encoded password parameter, AES-decrypts it, dynamically loads new classes, encrypts and encodes execution results with the same key, and returns an MD5-hashed response. This allows attackers to execute arbitrary code and receive command output.

Attackers divided each loader into multiple Base64-encoded segments delivered via separate GET requests to the /mifs/rs/api/v2/featureusage endpoint. Java Expression Language injection writes and appends these chunks to files in /tmp, evading signature-based controls and file size checks.

Mitigations

Deploy YARA rules CISA_251126_01 through CISA_251126_05 to detect JAR and class file artifacts by matching unique SHA-256 hashes and byte patterns.

Align defenses with CISA and NIST Cross-Sector Cybersecurity Performance Goals, including network segmentation, application allowlisting, multi-factor authentication for administrative interfaces, and regular log review to detect anomalous commands or file activity.

Implement the SIGMA rule in Table 7 to flag abnormal HTTP GET requests, class loading activity, and network IOCs such as known malicious IPs.

If detected, quarantine affected hosts, capture forensic images, review running processes, and report incidents to CISA via its 24/7 Operations Center or Incident Reporting System. Submit malware samples through CISA’s Malware Analysis Submission Form.

Upgrade to the latest Ivanti EPMM release without delay. Enforce enhanced restrictions and continuous monitoring on MDM platforms as high-value assets.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.