An unknown attacker has abused a couple of flaws in Ivanti Endpoint Manager Mobile (EPMM) and deployed two sets of malware against an unnamed organization, according to the US Cybersecurity and Infrastructure Security Agency.
While CISA doesn’t attribute this compromise to a particular group, both of these flaws, CVE-2025-4427 and CVE-2025-4428, were exploited as zero-days before Ivanti disclosed and patched them on May 13. Soon after, private security researchers blamed suspected Chinese government spies for the intrusions.
CVE-2025-4427 is an authentication bypass vulnerability and CVE-2025-4428 is a post-authentication remote code execution (RCE) flaw. The two can be chained to run malware on – and hijack – vulnerable deployments.
In a Thursday alert, CISA said the intrusion it investigated happened around May 15 after a proof-of-concept exploit became available, and the unnamed attacker accessed the organization’s server running EPMM by chaining both CVEs. Both malware sets contain “loaders for malicious listeners that enable cyber threat actors to run arbitrary code on the compromised server,” the cyber-defense agency said.
While CISA doesn’t name the victim company or indicate what sector it belongs to, Australia’s intelligence agency previously warned large organizations and government entities to be on the lookout for suspicious activity targeting these two Ivanti EPMM bugs for attacks.
According to CISA’s analysis, the malware set 1 consists of three malicious files: web-install.jar, ReflectUtil.class, and SecurityHandlerWanListener.class.
Set 2 contains web-install.jar and WebAndroidAppInstaller.class.
Ivanti makes dedicated fans of Chinese spies who just can’t resist attacking its buggy kit
‘Ongoing’ Ivanti hijack bug exploitation reaches clouds
Ivanti patches two zero-days under active attack as intel agency warns customers
Ding ding: Fortra rings the perfect-10 bell over latest GoAnywhere MFT bug
After being dropped on a victim machine, the first loader loads ReflectUtil.class, which injects and manages the malicious listener – SecurityHandlerWanListener in Apache Tomcat. This snoopy software “intercepts specific HTTP requests and processes them to decode and decrypt payloads, creating a new class that cyber threat actors can execute to run arbitrary code,” CISA explained.
Meanwhile, the second loader loads WebAndroidAppInstaller.class, which also intercepts and processes specific HTTP requests, and then steals password parameters from those before defining and loading a new malicious class. The malware then encrypts the new class output, and generates a response.
It’s also worth noting that the attacker delivered this malware in segments, splitting both loaders into multiple Base64-encoded segments and delivering each via separate HTTP GET requests. This makes it more difficult for security tools to detect and block the malware, allowing it to evade signature-based detection and size limitations.
In addition to the lengthy malware analysis, CISA also published indicators of compromise (IOCs) associated with this malware, so give that a read. The agency urged organizations to upgrade to the latest Ivanti EPMM version (if you haven’t already) while also “treating mobile device management (MDM) systems as high-value assets.” This means additional restrictions and monitoring to prevent nefarious activity and system hijacking.
CISA declined to comment beyond the report. ®
