"The cybersecurity agency CISA has shared technical information on malware deployed in attacks targeting two vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The flaws, tracked as CVE-2025-4427 (CVSS score of 5.3) and CVE-2025-4428 (CVSS score of 7.2), were disclosed on May 13, after hackers had exploited them in attacks. The exploitation of the two issues intensified several days later, after proof-of-concept (PoC) exploit code was published. By late May, it came to light that a China-linked threat actor tracked as UNC5221 had been abusing them in attacks."
"The security defects, an authentication bypass and a remote code execution (RCE) issue, found in two open source libraries integrated into EPMM, can be chained together for unauthenticated RCE. Now, CISA has shared details, indicators-of-compromise (IoCs), and detection rules for two sets of malware (five files) that were collected from a network compromised through the exploitation of a vulnerable Ivanti EPMM instance. By chaining the bugs, a threat actor accessed the server running EPMM and executed remote commands to collect system information, list the root directory, deploy malicious files, perform network reconnaissance, execute scripts, and dump LDAP credentials."
"The hackers deployed two sets of malware to the temporary directory, each set providing "persistence by allowing the cyber threat actors to inject and run arbitrary code on the compromised server," CISA says. Both sets included a loader and a malicious listener that enabled the attackers to deploy and execute arbitrary code on the compromised server, CISA explains. The malware was deployed in segments, to evade signature-based detection and size limitations. The first set also contained a manager designed to manipulate Java objects to inject the malicious listener in Apache Tomcat (running on the same server). The listener would intercept specific HTTP requests, process them, and decode"
CISA released technical details, IoCs, and detection rules for malware collected from a network compromised via Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities CVE-2025-4427 and CVE-2025-4428. The two flaws — an authentication bypass and an RCE in two open-source libraries integrated into EPMM — can be chained for unauthenticated remote code execution. Proof-of-concept exploit code publication accelerated exploitation, and a China-linked actor tracked as UNC5221 abused the bugs. The actor accessed the EPMM server, executed commands to gather system and LDAP data, deploy files, and perform reconnaissance. Two segmented malware sets were staged for persistence, each including a loader and a malicious listener to enable arbitrary code execution, with one set containing a Java-object manager to inject a listener into Apache Tomcat.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]