CISA Alerts on Recent Malware Discovery Linked to Ivanti Security Flaws
In a critical announcement, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed the identification of two malware sets that infiltrated the network of an undisclosed organization. This breach was made possible through exploited vulnerabilities in the Ivanti Endpoint Manager Mobile (EPMM), highlighting a significant concern for cybersecurity professionals.
Understanding the Malware and Its Impact
CISA’s alert clarifies that each malware set comprises loaders instrumental for malicious listeners, granting bad actors the ability to execute arbitrary code on the affected server. Specifically, the vulnerabilities in question, designated as CVE-2025-4427 and CVE-2025-4428, were previously acknowledged as zero-days before Ivanti addressed them in May 2025.
To elaborate, CVE-2025-4427 relates to an authentication bypass, enabling attackers to access protected resources without credentials. In tandem, CVE-2025-4428 facilitates remote code execution. This dual exploitation allowed the hackers to execute arbitrary code on compromised devices without any form of authentication.
Timeline of the Attack
The cyber intrusion reportedly began around May 15, 2025, shortly after a proof-of-concept (PoC) exploit was made public. This exploit provided malicious actors with a gateway to the server running EPMM, allowing them to issue commands to gather system information and download harmful files. Additionally, they could list server directories, map the network, create heap dumps, and extract Lightweight Directory Access Protocol (LDAP) credentials, as noted by CISA.
Types of Malware Implemented
Upon further investigation, it was found that the attackers deployed two distinct sets of malicious files in the “/tmp” directory of the compromised server. Each of these sets was designed to ensure persistence by injecting and running arbitrary code. Here’s a breakdown of the two sets:
- Set 1: Includes ‘web-install.jar’ (Loader 1), ‘ReflectUtil.class,’ and ‘SecurityHandlerWanListener.class’.
- Set 2: Comprises ‘web-install.jar’ (Loader 2) and ‘WebAndroidAppInstaller.class’.
Both sets are designed around a common theme: they feature a loader that activates a malicious Java class listener. This listener intercepts specific HTTP requests, enabling it to decode and decrypt payloads for execution on the server.
How the Attackers Manipulate the System
According to CISA, ‘ReflectUtil.class’ plays a vital role by manipulating Java objects to inject and manage the malicious listener ‘SecurityHandlerWanListener’ within Apache Tomcat. This listener is crucial for intercepting targeted HTTP requests, processing them for further payload execution. In contrast, ‘WebAndroidAppInstaller.class’ retrieves and decrypts a password parameter using a hard-coded key. This action helps define and execute a new Java class, which then encrypts its output and sends a response using the same key.
Consequences and Recommendations
The overall effect of these manipulations enables attackers to not only inject and execute arbitrary code but also facilitates ongoing follow-up activities, data exfiltration, and further compromise of the server’s integrity. To mitigate the risks associated with these vulnerabilities, CISA advises organizations to promptly update their systems to the latest version of the EPMM. Additionally, constant monitoring for suspicious activities and stringent restrictions on unauthorized access to mobile device management systems are recommended.
