CISA Issues Warning on Malware Campaign Targeting Ivanti Endpoint Manager Mobile Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has released an urgent advisory detailing a sophisticated malware campaign that exploits two recently disclosed vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM).

The flaws tracked as CVE-2025-4427, an authentication bypass via an alternate path or channel, and CVE-2025-4428, a code injection vulnerability, affect Ivanti EPMM versions 11.12.0.4 and earlier, 12.3.0.1 and earlier, 12.4.0.1 and earlier, and 12.5.0.0 and earlier. Ivanti patched all of these versions on May 13, 2025.

Threat actors have leveraged these vulnerabilities to gain unauthenticated remote code execution on on-premises EPMM servers.

By targeting the /mifs/rs/api/v2/ An endpoint with specially crafted HTTP GET requests incorporating Java Expression Language (EL) injection, attackers delivered Base64-encoded loader segments.

Each segment was appended to /tmp/web-install.jar via chained requests, evading signature-based defenses and file size restrictions.

Once reconstructed, the loaders deployed two distinct malicious listener sets capable of injecting arbitrary Java classes into Apache Tomcat and processing HTTP requests to execute attacker-supplied payloads.

Loader Mechanics and Malicious Listeners

Analysis reveals that Set 1’s Loader 1 (web-install.jar) embeds and loads a ReflectUtil.class manager. ReflectUtil.class bypasses JDK module restrictions, masquerades within the org.apache.http package, and dynamically injects SecurityHandlerWanListener into Tomcat’s event listener chain.

Upon intercepting HTTP requests with the pass string 7c6a8867d728c3bb, Referer header https://www.live.com, and specific header values, SecurityHandlerWanListener decodes and AES-decrypts Base64-encoded payloads.

The listener then defines new Java classes in memory to run arbitrary code, maintain persistence, and exfiltrate data.

Set 2’s Loader 2 follows a similar architecture, loading WebAndroidAppInstaller.class under the com.mobileiron.service package.

This listener validates requests with application/x-www-form-urlencoded content, retrieves a Base64-encoded password parameter, and decrypts it using the hard-coded key 3c6e0b8a9c15224a, and dynamically loads attacker-defined classes.

The listener then AES-encrypts and Base64-encodes the execution output, computes an MD5 hash for integrity, and returns the combined hash and encrypted data in the HTTP response.

CISA’s analysis includes comprehensive YARA and SIGMA rules, enabling organizations to detect loader filenames, MD5 and SHA256 hashes, and specific URL paths and commands associated with the campaign.

The provided SIGMA rule flags abnormal GET requests against /api/v2/*, the presence of JAR and CLASS artifacts in /tmp, and indicators such as evilClassName, Base64 decoding functions, and suspicious runtime commands.

Organizations are urged to upgrade Ivanti EPMM to the latest version immediately, treat MDM systems as high-value assets with enhanced monitoring, and deploy the supplied SIGMA rule to detect this attack proactively.

Incident responders and digital forensics analysts should collect forensic disk images, network logs, and process artifacts for any suspected compromise, then follow CISA’s incident response guidance to contain and remediate affected hosts.

Continuous vigilance and rapid patch management remain critical to thwarting this active threat campaign.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post CISA Issues Warning on Malware Campaign Targeting Ivanti Endpoint Manager Mobile Vulnerabilities appeared first on Cyber Security News.