The U.S. Cybersecurity and Infrastructure Security Agency (CISA) disclosed two malware strains found in a network compromised via Ivanti EPMM flaws.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published technical details of two malware families that were discovered in the network of an unnamed organization following the compromise of Ivanti Endpoint Manager Mobile (EPMM).
CISA released a report on two malware strains used in exploits of Ivanti EPMM flaws CVE-2025-4427 and CVE-2025-4428.
“The Cybersecurity and Infrastructure Security Agency (CISA) obtained two sets of malware from an organization compromised by cyber threat actors exploiting CVE-2025-4427 and CVE-2025-4428
in Ivanti Endpoint Manager Mobile (Ivanti EPMM).” reads the malware analysis report published by CISA. “Each set contains loaders for malicious listeners that enable cyber threat actors to run arbitrary code on the compromised server.”
In mid-May, Ivanti released security updates to address vulnerabilities CVE-2025-4427 and CVE-2025-4428, in Endpoint Manager Mobile (EPMM) software. The company confirmed that threat actors have chained the flaws in limited attacks to gain remote code execution.
Below is their description:
- CVE-2025-4427 (CVSS score: 5.3) – An authentication bypass in Endpoint Manager Mobile allowing attackers to access protected resources without proper credentials.
- CVE-2025-4428 (CVSS score: 7.2) – A remote code execution vulnerability in Endpoint Manager Mobile allowing attackers to execute arbitrary code on the target system.
CERT-EU reported both vulnerabilities to the software firm. The company confirmed that threat actors could chain the two vulnerabilities to achieve remote code execution without authentication.
The vulnerabilities have been addressed with versions 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1.
The vulnerabilities affect two unnamed open-source libraries used in EPMM, the company pointed out that they don’t reside in their code. The company is still investigating the attacks, however, it does not have “reliable atomic indicators” at the time of this writing.
In May, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Google Chromium, DrayTek routers, and SAP NetWeaver flaws to its Known Exploited Vulnerabilities (KEV) catalog.
In May 2025, threat actors exploited Ivanti EPMM flaws to access servers, executing commands via the /mifs/rs/api/v2/ endpoint. The attackers performed a series of malicious activities, including gathering system data, downloading malware and mapping networks. The intruders the dumped LDAP credentials, and maintained persistence by writing malicious files to /tmp. CISA analyzed two malware sets and urges organizations to use IOCs, apply detection guidance, and update to the latest Ivanti EPMM version.
The sets of malware analyzed by CISA are:
- Set 1 consists of the following malicious files:
web-install.jar,ReflectUtil.class, andSecurityHandlerWanListener.class. - Set 2 consists of the following malicious files:
web-install.jarandWebAndroidAppInstaller.class.
Each malware set includes a loader and listener that let attackers inject and execute arbitrary code on the compromised server.
The loaders run a malicious Java class listener, intercepting HTTP requests to decode and decrypt payloads for execution.
Below are additional details on the two malware sets.
Set 1: Uses a loader (ReflectUtil.class) disguised as an Apache package to bypass restrictions and secretly install a malicious listener (SecurityHandlerWanListener) into Apache Tomcat. This listener intercepts specific HTTP requests, decrypts hidden payloads, and dynamically creates new Java classes. The attackers attackers can run arbitrary code, maintain persistence, and exfiltrate data.
Set 2: Contains a loader (WebAndroidAppInstaller.class) posing as a MobileIron service. It installs another malicious listener that intercepts form-encoded HTTP requests, decrypts hidden parameters with a hard-coded AES key, builds and executes new classes, and then encrypts and returns the results. The attackers run arbitrary code on the vulnerable instance and can steal data and take over a compromised system.
Both malware sets give attackers powerful persistence, code execution, and data theft capabilities.
Organizations should update to the latest version, monitor for suspicious activity, and restrict access to MDM systems to prevent attacks.
CISA also shared YARA and SIGMA rules to detect the malware, along with MITRE ATT&CK techniques.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Ivanti EPMM)