CISA Warns: Malware Kits Found in Ivanti EPMM Attacks
▼ Summary
– CISA published an analysis of malware exploiting two Ivanti EPMM vulnerabilities: an authentication bypass (CVE-2025-4427) and a code injection flaw (CVE-2025-4428).
– These vulnerabilities affect specific Ivanti EPMM versions and were exploited as zero-days before Ivanti patched them on May 13, with a China-linked group suspected since May 15.
– Attackers used HTTP GET requests to the /mifs/rs/api/v2/ endpoint to run reconnaissance, extract LDAP credentials, and deliver malware in segmented Base64-encoded chunks.
– Two malware sets were analyzed, each with distinct loaders and malicious listeners enabling code execution, data exfiltration, and persistence on compromised systems.
– CISA provided IOCs, detection rules, and recommends immediate patching, isolating affected systems, and treating MDM systems as high-value assets with enhanced security.
A recent alert from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) details newly identified malware toolkits actively exploiting vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). These attacks leverage two specific security flaws: an authentication bypass in the EPMM API (CVE-2025-4427) and a code injection weakness (CVE-2025-4428), enabling remote execution of arbitrary commands. Affected versions include 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0, along with their earlier releases.
Although Ivanti released patches on May 13, threat actors had already begun exploiting these vulnerabilities as zero-days against a small number of targets. Just days later, intelligence analysts linked the activity with high confidence to a China-nexus espionage group operating since at least May 15. This threat actor demonstrated deep familiarity with Ivanti EPMM’s architecture, repurposing built-in components to stealthily exfiltrate sensitive information.
CISA’s analysis focuses on the technical aspects of the attack rather than attribution. The agency examined malicious files recovered from an organization compromised via an exploit chain combining both vulnerabilities. Attackers targeted the `/mifs/rs/api/v2/` endpoint using HTTP GET requests, manipulating the `?format=` parameter to issue malicious remote commands. These commands enabled reconnaissance actions such as system profiling, directory listing, network mapping, credential harvesting, and retrieval of additional payloads.
The malware deployment followed a split delivery mechanism, using segmented Base64-encoded chunks transmitted through separate HTTP requests. Analysts identified two distinct malware sets, each containing a loader and malicious listener designed to inject and execute code, maintain persistence, and facilitate data theft.
The first set included:
- `web-install.jar` (Loader 1)
- `ReflectUtil.class`, which manipulates Java objects to inject a listener
- `SecurityHandlerWanListener.class`, enabling code execution and data exfiltration
The second set contained:
- `web-install.jar` (Loader 2)
- `WebAndroidAppInstaller.class`, functioning as a malicious listener with similar capabilities
Both sets operate by intercepting specific HTTP requests, decoding attacker-provided payloads, and executing them on the compromised server.
CISA has released comprehensive indicators of compromise (IOCs), YARA rules, and a SIGMA rule to assist organizations in detecting related activity. For those identifying these or similar files, the agency advises immediate isolation of affected systems, thorough evidence collection, and creation of forensic disk images for further analysis.
To mitigate risk, administrators should apply available patches to Ivanti EPMM without delay and treat mobile device management systems as high-value assets. Implementing stricter access controls, enhanced monitoring, and network segmentation can further reduce exposure to similar attacks in the future.
(Source: Bleeping Computer)
