CISA Warns: New Malware Exploits Ivanti Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about two distinct malware frameworks uncovered within the network of an unnamed organization, following the exploitation of newly disclosed vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The attackers leveraged CVE-2025-4427 and CVE-2025-4428, both actively exploited as zero-days before Ivanti released patches in May 2025.

The first flaw allowed attackers to bypass authentication and gain access to protected resources, while the second enabled remote code execution. In tandem, they provided a pathway for unauthorized execution of arbitrary commands on a vulnerable EPMM server. According to CISA, the campaign began around 15 May 2025, shortly after the publication of a proof-of-concept exploit.

Once inside, the adversaries executed commands to gather system information, upload malicious files, enumerate the root directory, conduct network reconnaissance, launch a script to create a heap dump, and extract LDAP credentials. Two separate sets of malicious files were deployed to the /tmp directory, each designed to maintain persistence by injecting and executing arbitrary code.

In both cases, a JAR file initiated a Java class functioning as a malicious HTTP listener. These classes intercepted specific requests, decrypted the embedded payloads, and dynamically generated new classes executed directly in memory.

Notably, ReflectUtil.class was used to manipulate Java objects and inject the SecurityHandlerWanListener component into the Apache Tomcat runtime. This listener intercepted HTTP traffic, decoded and decrypted the data, and then executed dynamically generated classes.

The second component, WebAndroidAppInstaller.class, relied on a hardcoded key to decrypt a password parameter from incoming requests. Using this value, it generated and executed a new class, re-encrypted the result with the same key, and returned it in the response.

Together, these chains provided a stealthy mechanism for remote code execution, persistent access, and traffic interception, enabling subsequent attack stages focused on data extraction.

CISA urges administrators to immediately update all vulnerable Ivanti EPMM instances, strengthen activity monitoring, and restrict access to mobile device management systems to prevent similar compromises in the future.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy