CISA Warns of Malware Deployed Through Ivanti EPMM Flaws
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about the deployment of two malware strains through vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The agency's latest report details the malicious activities carried out by threat actors who exploited these flaws to gain unauthorized access to a network.
In mid-May, Ivanti released security updates to address vulnerabilities CVE-2025-4427 and CVE-2025-4428 in its EPMM software. However, CISA has revealed that threat actors have chained these vulnerabilities to achieve remote code execution without authentication. The agency urges organizations to update to the latest version of Ivanti EPMM, monitor for suspicious activity, and restrict access to MDM systems to prevent attacks.
The vulnerabilities affect two unnamed open-source libraries used in EPMM, which were identified by CERT-EU and reported to the software firm. Ivanti has confirmed that threat actors can chain the two vulnerabilities to achieve remote code execution without authentication.
Malware Analysis Report
CISA analyzed two malware sets and revealed their tactics, techniques, and procedures (TTPs). The agency urges organizations to use IOCs, apply detection guidance, and update to the latest Ivanti EPMM version. The sets of malware analyzed by CISA are two distinct malicious payloads that work in conjunction with exploits of Ivanti EPMM flaws CVE-2025-4427 and CVE-2025-4428.
The loaders run a malicious Java class listener, intercepting HTTP requests to decode and decrypt payloads for execution. Each malware set includes a loader and listener that let attackers inject and execute arbitrary code on the compromised server.
Malware Set 1: Apache Package Disguise
The first malware set uses a loader (ReflectUtil.class) disguised as an Apache package to bypass restrictions and secretly install a malicious listener (SecurityHandlerWanListener) into Apache Tomcat. This listener intercepts specific HTTP requests, decrypts hidden payloads, and dynamically creates new Java classes.
Attackers can run arbitrary code, maintain persistence, and exfiltrate data using this malware set. Organizations should be aware of the potential risks posed by this type of attack and take steps to prevent similar incidents in the future.
Malware Set 2: MobileIron Service
The second malware set contains a loader (WebAndroidAppInstaller.class) posing as a MobileIron service. It installs another malicious listener that intercepts form-encoded HTTP requests, decrypts hidden parameters with a hard-coded AES key, builds and executes new classes, and then encrypts and returns the results.
Attackers can run arbitrary code on the vulnerable instance and steal data and take over a compromised system using this malware set. Organizations should prioritize updating to the latest version of Ivanti EPMM and implementing robust security measures to prevent similar attacks.
Prioritizing Security
CISA emphasizes the importance of prioritizing security and taking proactive measures to prevent such attacks. The agency has shared YARA and SIGMA rules, along with MITRE ATT&CK techniques, to help organizations detect and respond to these threats effectively.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon for the latest cybersecurity news and updates.