The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis of the malware deployed in attacks exploiting vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM).
The flaws are an authentication bypass in EPMM’s API component (CVE-2025-4427) and a code injection vulnerability (CVE-2025-4428) that allows execution of arbitrary code.
The two vulnerabilities affect the following Ivanti EPMM development branches and their earlier releases: 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0.
Ivanti addressed the issues on May 13, but threat actors had already been exploiting them as zero days in attacks against “a very limited number of customers.”
About a week later, threat intelligence platform EclecticIQ reported with high confidence that a China-nexus espionage group was leveraging the two vulnerabilities since at least May 15.
The researchers said that the China-linked threat actor is very knowledgeable of Ivanti EPMM's internal architecture, being capable of repurposing system components to exfiltrate data.
CISA’s report, though, does not make any attribution and focuses only on the technical details of malicious files obtained from an organization attacked by threat actors using an exploit chain for CVE-2025-4427 and CVE-2025-4428.
Split malware delivery
The U.S. agency analyzed two sets of malware consisting of five files that the hackers used to gain initial access to on-premise Ivanti EPMM systems.
“The cyber threat actors targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests and used the ?format= parameter to send malicious remote commands,” CISA says.
... continue reading