The cybersecurity agency CISA has shared technical information on malware deployed in attacks targeting two vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM).
The flaws, tracked as CVE-2025-4427 (CVSS score of 5.3) and CVE-2025-4428 (CVSS score of 7.2), were disclosed on May 13, after hackers had exploited them in attacks.
The exploitation of the two issues intensified several days later, after proof-of-concept (PoC) exploit code was published. By late May, it came to light that a China-linked threat actor tracked as UNC5221 had been abusing them in attacks.
The security defects, an authentication bypass and a remote code execution (RCE) issue, found in two open source libraries integrated into EPMM, can be chained together for unauthenticated RCE.
Now, CISA has shared details, indicators-of-compromise (IoCs), and detection rules for two sets of malware (five files) that were collected from a network compromised through the exploitation of a vulnerable Ivanti EPMM instance.
By chaining the bugs, a threat actor accessed the server running EPMM and executed remote commands to collect system information, list the root directory, deploy malicious files, perform network reconnaissance, execute scripts, and dump LDAP credentials.
The hackers deployed two sets of malware to the temporary directory, each set providing “persistence by allowing the cyber threat actors to inject and run arbitrary code on the compromised server,” CISA says.
Both sets included a loader and a malicious listener that enabled the attackers to deploy and execute arbitrary code on the compromised server, CISA explains. The malware was deployed in segments, to evade signature-based detection and size limitations.
The first set also contained a manager designed to manipulate Java objects to inject the malicious listener in Apache Tomcat (running on the same server). The listener would intercept specific HTTP requests, process them, and decode and decrypt payloads that dynamically built and ran a new class.
The malicious listener in the second set was designed to retrieve and decrypt password parameters from specific HTTP requests, define and load a new malicious class, encrypt and encode the class output, and generate a response.
CISA recommends updating Ivanti EPMM to a patched version as soon as possible (versions 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1, and newer contain the fixes), implement additional restrictions and monitoring for mobile device management (MDM) systems, and follow best cybersecurity practices.
Related: CISA: CVE Program to Focus on Vulnerability Data Quality
Related: Watch Now: Attack Surface Management Summit – All Sessions Available
Related: Zero Trust Is 15 Years Old — Why Full Adoption Is Worth the Struggle
Related: DELMIA Factory Software Vulnerability Exploited in Attacks
