The U.S. Cybersecurity Agency has raised an alarm over two malware kits found in an organization’s network, exploiting vulnerabilities in the Ivanti Endpoint Manager Mobile (EPMM) system. These vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, were used in zero-day attacks before Ivanti released updates in May 2025. The first flaw allows bypassing authentication to access protected resources, while the second enables remote code execution, together facilitating unauthorized command execution on the EPMM server. The attack, which began around May 15, 2025, utilized a PoC exploit published shortly before. Attackers leveraged this access to execute commands for gathering system information, uploading malicious files, listing root directory contents, conducting network reconnaissance, creating a heap dump, and extracting LDAP credentials. Malicious files were uploaded to the server’s /tmp directory, ensuring persistence by injecting and executing arbitrary code. A JAR file launched a Java class acting as a malicious HTTP listener, intercepting requests, decrypting payloads, and dynamically creating a new class executed in memory. ReflectUtil.class manipulated Java objects, injecting a SecurityHandlerWanListener component into Apache Tomcat to intercept HTTP requests and execute the generated class. WebAndroidAppInstaller.class decrypted a password parameter to generate and execute a new class, re-encrypting the result for response. These methods enabled remote code execution, system persistence, and orchestration of further attack stages, including HTTP traffic interception for data exfiltration. Administrators are urged to update Ivanti EPMM installations, enhance monitoring, and restrict MDM system access to prevent similar attacks.
Are there vulnerabilities in Ivanti Endpoint Manager Mobile?
