CISA Issues Warning on Vulnerabilities in Ivanti Endpoint Manager Mobile
The Cybersecurity and Infrastructure Security Agency (CISA) has recently provided critical technical information regarding malware associated with significant vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). These weaknesses have raised alarms among cybersecurity experts after being exploited in various attacks.
Overview of the Vulnerabilities
The identified vulnerabilities, specifically CVE-2025-4427 and CVE-2025-4428, were disclosed on May 13. These flaws received CVSS scores of 5.3 and 7.2, respectively, indicating a moderate to high level of severity. Following their discovery, instances of exploitation increased, particularly after proof-of-concept (PoC) exploit code became publicly available. By late May, a China-linked threat actor known as UNC5221 was reported to be utilizing these vulnerabilities for malicious purposes.
Nature of the Security Flaws
The security flaws consist of an authentication bypass and a remote code execution (RCE) vulnerability, both found within open-source libraries integrated into the Ivanti EPMM. These vulnerabilities can be exploited in tandem, creating a pathway for unauthenticated remote code execution. This means that attackers could potentially take control of systems running the compromised software without needing valid authentication.
Malware Deployment and Capabilities
CISA has detailed the findings related to two specific sets of malware linked to the exploitation of EPMM. These malware sets consist of a total of five files discovered on networks that had become compromised. Using the vulnerabilities, attackers managed to gain access to the EPMM server, allowing them to execute remote commands. This enabled a range of malicious activities such as gathering system information, listing root directories, deploying harmful files, conducting network reconnaissance, executing scripts, and dumping LDAP credentials.
Both sets of malware were designed to ensure persistence on the compromised systems by enabling the threat actors to inject and execute arbitrary code. CISA points out that the malware was deployed in segments, specifically organized to avoid detection by signature-based security systems and to work around size limitations.
Technical Details of the Malware
The first set of malware included a manager component that manipulated Java objects to inject a malicious listener within the Apache Tomcat server running in conjunction with EPMM. This listener was capable of intercepting specific HTTP requests, processing them, and decoding payloads to dynamically build and execute new classes.
Similarly, the second malware set also featured a malicious listener capable of retrieving and decrypting password parameters from targeted HTTP requests. This component was responsible for defining and loading new malicious classes, encoding the output, and generating responses based on the results.
Recommended Actions for Organizations
In response to these alarming developments, CISA strongly advises organizations that utilize Ivanti EPMM to update to patched versions without delay. The recommended updates are versions 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1 and any newer releases that address the vulnerabilities.
Furthermore, CISA underscores the importance of implementing additional restrictions and monitoring for mobile device management (MDM) systems. Organizations should consistently follow robust cybersecurity best practices to bolster their defenses against similar threats.
Conclusion
As more details emerge about the exploitation of these vulnerabilities, it’s crucial for organizations to act swiftly to protect their networks and data. Regular updates and vigilant monitoring of cybersecurity practices are essential in today’s rapidly evolving threat landscape. Organizations must remain proactive to mitigate risks and defend against potential cyber threats.
