CISA Warns of Hackers Exploiting Ivanti Endpoint Manager Mobile Vulnerabilities to Deploy Malware

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical warning regarding sophisticated malware campaigns targeting Ivanti Endpoint Manager Mobile (EPMM) systems.

Cybercriminals are actively exploiting two critical vulnerabilities, CVE-2025-4427 and CVE-2025-4428, to deploy advanced persistent threats that enable complete system compromise and arbitrary code execution on targeted servers.

The attack campaign emerged shortly after Ivanti disclosed the vulnerabilities on May 13, 2025, with threat actors beginning exploitation around May 15, 2025, following the publication of proof-of-concept code.

The vulnerabilities affect all Ivanti EPMM versions including 11.12.0.4 and prior, 12.3.0.1 and prior, 12.4.0.1 and prior, and 12.5.0.0 and prior, representing a significant attack surface for organizations relying on mobile device management infrastructure.

The malicious actors demonstrate sophisticated techniques by chaining CVE-2025-4427, an authentication bypass vulnerability, with CVE-2025-4428, a code injection flaw, to gain unauthorized access to EPMM deployments.

Once inside the system, attackers target the /mifs/rs/api/v2/ endpoint using HTTP GET requests with malicious remote commands embedded in the ?format= parameter, enabling them to collect system information, download malicious payloads, enumerate network resources, and extract LDAP credentials.

CISA Cyber Team analysts identified two distinct malware sets during their investigation, each containing sophisticated loaders and malicious listeners designed to maintain persistent access to compromised infrastructure.

The first set consists of three components: Loader 1 (web-install.jar), ReflectUtil.class, and SecurityHandlerWanListener.class, while the second set includes Loader 2 (web-install.jar) and WebAndroidAppInstaller.class, with each component serving specific functions in the attack chain.

The threat actors employ advanced evasion techniques to bypass security controls and deliver their malware effectively.

Rather than uploading complete malicious files that might trigger security alerts, the attackers segment their payloads into multiple Base64-encoded chunks and transmit each segment through separate HTTP requests.

This approach serves dual purposes: circumventing signature-based detection systems and avoiding file size limitations that might prevent successful malware deployment.

Advanced Payload Delivery and Persistence Mechanisms

The malware deployment process showcases remarkable technical sophistication in how threat actors establish and maintain persistence on compromised systems.

The attack begins with Java Expression Language injection techniques that create malicious JAR files in the /tmp directory through a methodical chunk-based reconstruction process.

For the initial payload delivery, attackers craft HTTP GET requests containing Java EL injection code that creates FileOutputStream objects to write Base64-decoded malware segments directly to the target system.

The malicious request structure follows this pattern: GET /mifs/rs/api/v2/featureusage?format=${""getClass().forName("java.io.FileOutputStream").getConstructor("".getClass(),"".getClass().forName("[Z").getComponentType()).newInstance("/tmp/web-install.jar",true).write("".getClass().forName("java.util.Base64").getMethod("getDecoder").invoke(null).decode("[BASE64_CHUNK]"))}.

This technique enables the malware to evade signature-based detection while reconstructing complete executable files on the target system.

Once the malware components are successfully deployed, Set 1 operates through a sophisticated three-stage process.

Loader 1 contains and dynamically loads ReflectUtil.class, which then manipulates Java objects to inject SecurityHandlerWanListener into the Apache Tomcat server running on the compromised system.

The ReflectUtil.class component bypasses Java Development Kit module restrictions, iterates through object contexts, and attempts to load the malicious listener class using hard-coded strings that masquerade as legitimate JUnit framework components.

SecurityHandlerWanListener establishes a persistent backdoor by intercepting specific HTTP requests containing predetermined authentication tokens.

The listener monitors for requests containing the string “pass 7c6a8867d728c3bb”, a “Referer” header, and the header value “https://www[.]live.com”.

When these conditions are met, the malware retrieves Base64-encoded payloads from the request stream, decodes them, and decrypts the data using AES encryption with the stored key, creating new Java class files that enable arbitrary code execution.

Set 2 operates through a more streamlined but equally effective approach, with Loader 2 containing and loading WebAndroidAppInstaller.class at runtime.

This component masquerades as part of the legitimate com.mobileiron.service package and intercepts HTTP requests with specific Content-Type headers containing “application/x-www-form-urlencoded”.

The malware retrieves password parameters from incoming requests, performs Base64 decoding and AES decryption using the hard-coded key “3c6e0b8a9c15224a”, and dynamically creates new malicious classes based on the decrypted instructions.

The sophisticated nature of these attacks demonstrates the threat actors’ deep understanding of Java-based enterprise applications and their ability to exploit complex software architectures for persistent access.

Organizations must immediately upgrade their Ivanti EPMM installations to the latest patched versions and implement additional monitoring for mobile device management systems, treating them as high-value assets requiring enhanced security controls and continuous surveillance.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.