A recent CISA warning has revealed that two new malware strains are actively exploiting a pair of Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities, CVE-2025-4427 and CVE-2025-4428. Ivanti has since released patches, and CISA has added the vulnerabilities to its Known Exploited Vulnerabilities Catalog.
What Happened?
On September 18, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) issued an analysis report detailing the functionality of two malware sets found on an organization’s network. The cyber threat actors had exploited CVE-2025-4427, an authentication bypass vulnerability, and CVE-2025-4428, a remote code execution flaw, to deploy malicious loaders and listeners.
Ivanti had initially disclosed and patched these vulnerabilities back in May 2025, but according to CISA, threat actors began to exploit them around May 15, 2025, after a proof-of-concept (PoC) exploit was made public. By chaining the two vulnerabilities, attackers could gain unauthenticated remote code execution on vulnerable Ivanti EPMM servers.
The compromised server, which manages thousands of mobile devices, essentially became a “gateway” for attackers to perform actions like collecting system information, exfiltrating data, and maintaining persistence within the network.
The Malware Strains
CISA’s analysis identified two sets of malicious files, both of which contained loaders for malicious listeners. The purpose of these listeners is to intercept specific HTTP requests and process them to decode and decrypt payloads, allowing attackers to inject and execute arbitrary code.
- Malware Set 1 includes files like
web-install.jar,ReflectUtil.class, andSecurityHandlerWanListener.class. This strain was designed to inject and manage a malicious listener in Apache Tomcat, intercepting requests with specific header values to execute code. - Malware Set 2 consists of
web-install.jarandWebAndroidAppInstaller.class. This malware operates by looking for requests with a specific content type and using a hard-coded key to decrypt a password parameter, which is then used to define and implement a new class for code execution.
Both malware sets are designed for stealth and persistence, enabling long-term control over a compromised server. They can also be used to steal credentials and facilitate lateral movement within a network.
What You Need to Do
If you use Ivanti EPMM, you must take these steps immediately:
- Patch Your Systems. The most critical action is to apply the security updates released by Ivanti. The patched versions are 11.12.0.5, 12.3.0.2, 12.4.0.2, and 12.5.0.1.
- Hunt for Compromise. Use the indicators of compromise (IOCs), YARA rules, and other detection signatures provided in CISA’s analysis report (AR25-261A) to scan your systems for any signs of the malware.
- Treat MDM as “Crown Jewels.” Because mobile device management (MDM) systems are high-value targets, you should implement enhanced security measures, including network segmentation and stricter monitoring.
- Isolate and Respond. If you find any signs of compromise, immediately isolate the affected systems to prevent further spread, and perform a thorough forensic analysis to determine the scope of the breach.
The recurring exploitation of Ivanti products highlights a crucial security lesson: threat actors are consistently targeting centralized management solutions to gain a foothold in enterprise networks. Staying proactive with patching and having a robust incident response plan is more critical than ever.