The Cybersecurity and Infrastructure Security Agency (CISA) has published a new Malware Analysis Report (MAR) detailing how threat actors are exploiting vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) to deploy malicious listeners and execute arbitrary code on compromised servers.
According to the report, “CISA obtained two sets of malware from an organization compromised by cyber threat actors exploiting CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (Ivanti EPMM).”
These flaws, classified as an authentication bypass (CWE-288) and code injection (CWE-94), were disclosed by Ivanti on May 13, 2025, and added to CISA’s Known Exploited Vulnerabilities Catalog shortly after.
The agency warns that attackers targeted the /mifs/rs/api/v2/ endpoint using crafted HTTP GET requests with the ?format= parameter to issue remote commands. This allowed them to “collect system information, download malicious files, list the root directory, map the network, execute scripts to create a heapdump, and dump Lightweight Directory Access Protocol (LDAP) credentials.”
CISA identified two distinct malware sets:
- Set 1: Loader 1 (web-install.jar), ReflectUtil.class, and SecurityHandlerWanListener.class.
- Set 2: Loader 2 (web-install.jar) and WebAndroidAppInstaller.class.
Both sets enable attackers to persist on the system and run arbitrary code.
The first loader injects a malicious listener into Apache Tomcat. “SecurityHandlerWanListener.class intercepts specific HTTP requests and processes them to decode and decrypt payloads, which create a new class that cyber threat actors can execute to run arbitrary code.”
The second malware set is equally dangerous. “WebAndroidAppInstaller.class intercepts and processes specific HTTP requests, retrieves and decrypts password parameters from the request, defines and loads a new malicious class, encrypts and encodes the new class output, and generates a response with the encrypted output.”
Both variants provide adversaries with code execution, data exfiltration, and persistence.
The malware was delivered in Base64-encoded chunks to evade detection. As CISA explains, “The cyber threat actors delivered this malware in segments, splitting Loader 1 and 2 into multiple Base64-encoded segments… This technique is used for defense evasion—it enables the malware to evade signature-based detection and size limitations.”
CISA urges organizations to take immediate action:
- “Upgrade Ivanti EPMM versions to the latest version as soon as possible.”
- “Treat mobile device management (MDM) systems as high-value assets (HVAs) with additional restrictions and monitoring.”
- “Mandate phishing-resistant multifactor authentication (MFA) for all staff and services.”
The report includes Indicators of Compromise (IOCs), YARA rules, and a SIGMA rule to help defenders detect malicious activity.
- DOJ Charges UK National Linked to Scattered Spider in $115M Cyber Extortion Scheme
- Ivanti EPMM Under Attack: Zero-Day RCE Exploited by China-Linked Group UNC5221
- Ivanti EPMM Flaws Exploited in the Wild: Chained RCE and Auth Bypass Threaten Mobile Device Management
- Ivanti Connect Secure, Policy Secure and Secure Access Client Affected by Critical Vulnerabilities
