CISA Warned of 2 Malware Strains Exploiting Ivanti EPMM CVE-2025-4427 & CVE-2025-4428!
“CISA is warning people about 2 Malware Strains that are exploiting Ivanti EPMM CVE-2025-4427 & CVE-2025-4428.”
Details on two malware packages that were found in the network of an unidentified firm after exploiting security holes in Ivanti Endpoint Manager Mobile (EPMM) were made public by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday.
CISA, Alert
| “Malicious listener loaders are included in each set, allowing cyber threat actors to execute arbitrary code on the compromised server.”
“The malicious listener SecurityHandlerWanListener in Apache Tomcat is injected and managed by ReflectUtil.class through manipulation of Java classes.”
In order to decode and decrypt payloads that dynamically generate and run a new class, “[SecurityHandlerWanListener.class] is a malicious listener that intercepts specified HTTP requests and processes them.” |
The attack took advantage of vulnerabilities CVE-2025-4427 and CVE-2025-4428, which had both been misused as zero-days until Ivanti fixed them in May 2025.
Risks
- An authentication bypass that gives attackers access to protected resources is the subject of CVE-2025-4427.
- CVE-2025-4428 makes it possible to execute code remotely.
- The two vulnerabilities might therefore be used to run arbitrary code on a susceptible device without authentication.
Around May 15, 2025, after a proof-of-concept (PoC) attack was released, CISA claims that the threat actors combined the two vulnerabilities to obtain access to a server running EPMM.
According to the agency, this allowed the attackers to run commands that allowed them to map the network, download malicious files, list the root directory, collect system information, run scripts to generate a heapdump, and dump Lightweight Directory Access Protocol (LDAP) credentials.
Subsequent investigation revealed that the cyber threat actors had placed two sets of malicious files in the “/tmp” directory, each of which allowed persistence by infecting the compromised server with arbitrary code and causing it to run:
- Set 1 – web-install.jar (aka Loader 1), ReflectUtil.class, and SecurityHandlerWanListener.class
- Set 2 – web-install.jar (aka Loader 2) and WebAndroidAppInstaller.class
In particular, a loader in both sets starts a maliciously generated Java class listener that intercepts particular HTTP requests and decodes and decrypts payloads for further execution.
The way WebAndroidAppInstaller.class operates, however, is different. It uses a hard-coded key to retrieve and decrypt a password argument from the request, and then uses the contents to define and implement a new class.
The same hard-coded key is then used to encrypt the output of the new class’s execution, which produces a response with the encrypted output.
As a result, the attackers are able to exfiltrate data by intercepting and processing HTTP requests, as well as inject and run arbitrary code on the server, allowing persistence and follow-on action.
Organizations are encouraged to upgrade their instances to the most recent version, keep an eye out for any indications of unusual activity, and put in place the required safeguards to stop unwanted access to mobile device management (MDM) systems in order to remain safe from these attacks.
About The Author
Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”
Read More:
KVB Launches Campaign Against Cyber Fraud to Raise Awareness
About Author
English