CISA Sounds the Alarm on Ivanti EPMM Exploitation via Malicious Listeners: CVE-2025-4427 & CVE-2025-4428 (CVSS 9.8)

Estimated reading time: 10 minutes

Key Takeaways:

  • CISA warns of active exploitation of Ivanti EPMM vulnerabilities CVE-2025-4427 and CVE-2025-4428.
  • Attackers are deploying malicious listeners to achieve remote code execution.
  • Mitigation includes immediate upgrading, treating MDM systems as HVAs, and mandating phishing-resistant MFA.
  • CISA provides IOCs, YARA rules, and a SIGMA rule for detection and response.

Table of Contents:

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a stark warning regarding the active exploitation of vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). A newly released Malware Analysis Report (MAR) details how threat actors are leveraging CVE-2025-4427 and CVE-2025-4428 (CVSS 9.8) to deploy malicious listeners, achieving remote code execution on compromised servers. This blog post breaks down the report, highlighting the vulnerabilities, the malware involved, and actionable steps for mitigation.

Understanding the Ivanti EPMM Vulnerabilities

CVE-2025-4427 and CVE-2025-4428, the focus of CISA’s alert, are critical flaws that can allow attackers to gain unauthorized access and control over affected systems. These vulnerabilities, classified as an authentication bypass (CWE-288) and code injection (CWE-94) respectively, were initially disclosed by Ivanti in May 2025. Recognizing the severity, CISA promptly added them to its Known Exploited Vulnerabilities Catalog, underscoring the urgency for organizations to address these issues.
The report indicates that attackers are specifically targeting the /mifs/rs/api/v2/ endpoint. By sending crafted HTTP GET requests that include a malicious ?format= parameter, they can remotely execute commands. This access allows them to collect sensitive system information, download malicious files, list directories, map the network, generate heapdumps, and even extract Lightweight Directory Access Protocol (LDAP) credentials. Such broad access enables a wide range of malicious activities, from data theft to complete system takeover.

Decoding the Malicious Listener Malware

CISA’s analysis identified two distinct sets of malware being deployed in these attacks:
  • Set 1: Consisting of Loader 1 (web-install.jar), ReflectUtil.class, and SecurityHandlerWanListener.class.
  • Set 2: Comprising Loader 2 (web-install.jar) and WebAndroidAppInstaller.class.
Both sets are designed to enable persistence on compromised systems and facilitate the execution of arbitrary code. The loaders share the same name but have different functionalities.

Set 1: The Tomcat Injector

The first malware set functions by injecting a malicious listener directly into Apache Tomcat. The SecurityHandlerWanListener.class component is designed to intercept specific HTTP requests. Upon interception, it processes these requests to decode and decrypt embedded payloads. This decryption process results in the creation of a new class that threat actors can then execute to run arbitrary code, effectively gaining control of the server.

Set 2: The Web Android App Installer

The second malware set operates through the WebAndroidAppInstaller.class component. Similar to the first set, it intercepts and processes specific HTTP requests. This component retrieves and decrypts password parameters from the request, subsequently defining and loading a new, malicious class. The output of this new class is then encrypted and encoded before generating a response with the encrypted output. This sophisticated process allows the attacker to execute code while attempting to conceal their activity.

Delivery Mechanism: Base64 Encoding

A key aspect of these attacks is the delivery method of the malware. Attackers are delivering the malware in Base64-encoded segments. This approach is used for defense evasion, allowing the malware to bypass signature-based detection mechanisms and circumvent size limitations that might otherwise prevent the full payload from being delivered.

Actionable Mitigation Strategies

CISA’s report provides clear and actionable recommendations for organizations to mitigate the risks associated with these vulnerabilities:
  1. Immediate Upgrading: “Upgrade Ivanti EPMM versions to the latest version as soon as possible.” Keeping software up to date is a fundamental security practice, and in this case, it is critical to patch the vulnerabilities being actively exploited.
  2. Treat MDM Systems as High-Value Assets (HVAs): “Treat mobile device management (MDM) systems as high-value assets (HVAs) with additional restrictions and monitoring.” MDM systems like Ivanti EPMM should be treated with utmost care. Implement stringent access controls, continuous monitoring, and additional security layers to protect them from unauthorized access and exploitation. This is especially important given the sensitive nature of the data and control they have over mobile devices.
  3. Mandate Phishing-Resistant Multifactor Authentication (MFA): “Mandate phishing-resistant multifactor authentication (MFA) for all staff and services.” MFA is a crucial security measure that adds an extra layer of protection beyond passwords. Phishing-resistant methods are particularly important to prevent attackers from bypassing MFA through social engineering or other means.
CISA also provides Indicators of Compromise (IOCs), YARA rules, and a SIGMA rule within its report. Security teams can use these tools to proactively detect and respond to malicious activity related to these attacks.

Practical Takeaways and Actionable Advice

For Technical Readers:

  • Implement Network Segmentation: Segment your network to limit the lateral movement of attackers. If an Ivanti EPMM server is compromised, ensure that the attacker cannot easily access other critical systems.
  • Monitor Network Traffic: Implement deep packet inspection (DPI) to monitor network traffic for malicious patterns and indicators of compromise provided by CISA.
  • Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities in your Ivanti EPMM deployment.
  • Implement a Web Application Firewall (WAF): Use a WAF to filter out malicious HTTP requests targeting the /mifs/rs/api/v2/ endpoint.
  • Monitor File Integrity: Use file integrity monitoring (FIM) tools to detect unauthorized changes to critical system files.

For Non-Technical Readers:

  • Ensure Timely Patching: Verify that your IT department has a process in place for promptly applying security patches to all systems, including Ivanti EPMM.
  • Reinforce Security Awareness Training: Educate employees about the importance of strong passwords, recognizing phishing attempts, and reporting suspicious activity.
  • Review Access Controls: Ensure that access to Ivanti EPMM is limited to only those employees who require it for their job functions.
  • Engage with IT Security: Regularly communicate with your IT security team to understand the current threat landscape and any new security measures that need to be implemented.

How PurpleOps Can Help

At PurpleOps, we understand the challenges organizations face in staying ahead of emerging cyber threats. Our suite of cybersecurity services is designed to provide comprehensive protection, including:
  • Cyber Threat Intelligence Platform: Leveraging our cyber threat intelligence platform, we provide organizations with up-to-date information on emerging threats, vulnerabilities, and attack patterns, including those targeting Ivanti EPMM.
  • Breach Detection: Our breach detection services help identify and respond to security incidents quickly and effectively, minimizing the impact of a successful attack.
  • Supply-Chain Risk Monitoring: Our supply-chain risk monitoring services ensure that your vendors and partners are adhering to the highest security standards, reducing the risk of third-party breaches.
  • Dark Web Monitoring: We use our dark web monitoring service to detect compromised credentials and other sensitive information that may be used to target your organization.
  • Red Team Operations and Penetration Testing: We can simulate real-world attacks to identify vulnerabilities and weaknesses in your security posture, providing actionable recommendations for improvement.
The exploitation of Ivanti EPMM vulnerabilities highlights the importance of proactive cybersecurity measures. By staying informed, implementing timely patches, and adopting a defense-in-depth approach, organizations can significantly reduce their risk of falling victim to these types of attacks.
Is your organization protected against the latest cyber threats? Contact us today at PurpleOps Solutions to learn more about how our cybersecurity services can help you stay secure.

FAQ

Q: What are CVE-2025-4427 and CVE-2025-4428?

A: CVE-2025-4427 is an authentication bypass vulnerability, and CVE-2025-4428 is a code injection vulnerability in Ivanti EPMM, allowing attackers to gain unauthorized access and execute code remotely.

Q: How are attackers exploiting these vulnerabilities?

A: Attackers are targeting the /mifs/rs/api/v2/ endpoint with crafted HTTP GET requests containing a malicious ?format= parameter to execute commands.

Q: What steps should I take to mitigate these vulnerabilities?

A: Upgrade Ivanti EPMM to the latest version, treat MDM systems as high-value assets, and mandate phishing-resistant multifactor authentication for all staff and services.

Q: What are the Indicators of Compromise (IOCs) provided by CISA?

A: CISA provides IOCs, YARA rules, and a SIGMA rule in their report to help security teams detect and respond to malicious activity related to these attacks. Refer to the CISA report for specifics.

Q: How can PurpleOps help protect my organization from these threats?

A: PurpleOps offers a suite of cybersecurity services, including a cyber threat intelligence platform, breach detection, supply-chain risk monitoring, dark web monitoring, and red team operations, to help organizations stay secure against emerging threats. Visit PurpleOps Solutions to learn more.