Redazione RHC : 21 September 2025 08:42
The U.S. Cybersecurity Agency (CISA) has issued an alert regarding two malware kits discovered on the network of an unidentified organization after exploiting new vulnerabilities in the Ivanti Endpoint Manager Mobile (EPMM) mobile device management system.
Attackers exploited the CVE-2025-4427 and CVE-2025-4428 vulnerabilities, both of which were used in zero-day attacks before the release of Ivanti updates in May. 2025.
The first vulnerability allows authentication bypass and access to protected resources, while the second allows remote code execution. Together, they allow the unauthorized execution of arbitrary commands on the vulnerable EPMM server. CISA notes that the attack began around May 15, 2025, shortly after the PoC exploit was published.
The attackers used this access to execute commands that allowed them to gather system information, upload malicious files, list the contents of the root directory, conduct network reconnaissance, execute a script to create a heap dump, and extract LDAP credentials. Two different sets of malicious files were uploaded to the server, both in the /tmp directory, each ensuring persistence by injecting and executing arbitrary code:
In both cases, the JAR file launched a Java class that acted as a malicious HTTP listener. These classes intercepted specific requests, decrypted embedded payloads, and dynamically created a new class that executed directly in memory.
Specifically, the ReflectUtil.class was used to manipulate Java objects and inject a SecurityHandlerWanListener component into the Apache Tomcat runtime. This listener intercepted HTTP requests, decoded and decrypted the data, and then executed the generated class.
The second component (WebAndroidAppInstaller.class) used a hard-coded key to decrypt the password parameter from the request, which was used to generate and execute the new class. The result was then re-encrypted with the same key and sent in the response.
Therefore, both chains provided a hidden capability for remote code execution, persistent presence on the system, and orchestration of subsequent attack stages, including intercepting and processing HTTP traffic for data exfiltration.
CISA recommends that administrators immediately update all vulnerable Ivanti EPMM installations to the latest version, strengthen activity monitoring, and restrict access to MDM systems to prevent similar intrusions in the future.
Redazione