CISA Warns of New Malware Strains Exploiting Ivanti EPMM Flaws

CISA warns of two new malware strains exploiting Ivanti EPMM vulnerabilities (CVE-2025-4427/4428). Learn how they work and how to defend your systems.

Threat Overview

CISA warns of two new malware families that emerged after attackers exploited critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) systems. These threats target the mobile device management (MDM) platform and let attackers run code on corporate servers. The exploited bugs (CVE-2025-4427: auth bypass, CVE-2025-4428: remote code execution) were patched by Ivanti in May 2025. Adversaries chained these flaws by mid-May 2025 (shortly after a public exploit appeared), giving them control of the EPMM server without credentials. This rapid exploitation underscores the need for prompt patching and robust MDM security.

Malware Strains

Forensic teams found two sets of malicious Java files on the compromised EPMM server. Each set used a web-install.jar loader to launch a hidden listener:

  • Set 1 (ReflectUtil): Includes ReflectUtil.class and SecurityHandlerWanListener. ReflectUtil injects the listener into Tomcat to intercept HTTP requests and decrypt payloads.
  • Set 2 (WebAndroid): Includes WebAndroidAppInstaller. This class retrieves an encrypted command from HTTP requests, decrypts it with a hardcoded key, and then creates and runs a new Java class on the server.
    Both backdoors let attackers run arbitrary code on the system and exfiltrate data via crafted HTTP requests.

Mitigation and Best Practices

CISA emphasizes urgent patching and monitoring. Key recommendations include:

  • Apply Patches: Update Ivanti EPMM to the latest version to fix CVE-2025-4427/4428.
  • Monitor Logs: Watch for unusual activity (unexpected JARs or strange network requests).
  • Restrict Access: Treat MDM as high-value. Limit admin privileges, segment the network, and enforce strict access controls.

Conclusion

These incidents underline how quickly threat actors exploit new vulnerabilities. Organizations using Ivanti EPMM must act swiftly: apply patches, monitor systems, and lock down MDM access. In cybersecurity, proactive defense — timely updates and strict access controls — is the best protection against evolving malware.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top