CISA Sounds the Alarm on Ivanti EPMM Exploitation via Malicious Listeners: CVE-2025-4427 & CVE-2025-4428 (CVSS 9.8)
Estimated reading time: 10 minutes
Key Takeaways:
- CISA warns of active exploitation of Ivanti EPMM vulnerabilities CVE-2025-4427 and CVE-2025-4428.
- Attackers are deploying malicious listeners to achieve remote code execution.
- Mitigation includes immediate upgrading, treating MDM systems as HVAs, and mandating phishing-resistant MFA.
- CISA provides IOCs, YARA rules, and a SIGMA rule for detection and response.
Table of Contents:
- CISA Sounds the Alarm on Ivanti EPMM Exploitation via Malicious Listeners: CVE-2025-4427 & CVE-2025-4428 (CVSS 9.8)
- Understanding the Ivanti EPMM Vulnerabilities
- Decoding the Malicious Listener Malware
- Actionable Mitigation Strategies
- Practical Takeaways and Actionable Advice
- How PurpleOps Can Help
- FAQ
Understanding the Ivanti EPMM Vulnerabilities
/mifs/rs/api/v2/ endpoint. By sending crafted HTTP GET requests that include a malicious ?format= parameter, they can remotely execute commands. This access allows them to collect sensitive system information, download malicious files, list directories, map the network, generate heapdumps, and even extract Lightweight Directory Access Protocol (LDAP) credentials. Such broad access enables a wide range of malicious activities, from data theft to complete system takeover.
Decoding the Malicious Listener Malware
- Set 1: Consisting of
Loader 1 (web-install.jar),ReflectUtil.class, andSecurityHandlerWanListener.class. - Set 2: Comprising
Loader 2 (web-install.jar)andWebAndroidAppInstaller.class.
Set 1: The Tomcat Injector
SecurityHandlerWanListener.class component is designed to intercept specific HTTP requests. Upon interception, it processes these requests to decode and decrypt embedded payloads. This decryption process results in the creation of a new class that threat actors can then execute to run arbitrary code, effectively gaining control of the server.
Set 2: The Web Android App Installer
WebAndroidAppInstaller.class component. Similar to the first set, it intercepts and processes specific HTTP requests. This component retrieves and decrypts password parameters from the request, subsequently defining and loading a new, malicious class. The output of this new class is then encrypted and encoded before generating a response with the encrypted output. This sophisticated process allows the attacker to execute code while attempting to conceal their activity.
Delivery Mechanism: Base64 Encoding
Actionable Mitigation Strategies
- Immediate Upgrading: “Upgrade Ivanti EPMM versions to the latest version as soon as possible.” Keeping software up to date is a fundamental security practice, and in this case, it is critical to patch the vulnerabilities being actively exploited.
- Treat MDM Systems as High-Value Assets (HVAs): “Treat mobile device management (MDM) systems as high-value assets (HVAs) with additional restrictions and monitoring.” MDM systems like Ivanti EPMM should be treated with utmost care. Implement stringent access controls, continuous monitoring, and additional security layers to protect them from unauthorized access and exploitation. This is especially important given the sensitive nature of the data and control they have over mobile devices.
- Mandate Phishing-Resistant Multifactor Authentication (MFA): “Mandate phishing-resistant multifactor authentication (MFA) for all staff and services.” MFA is a crucial security measure that adds an extra layer of protection beyond passwords. Phishing-resistant methods are particularly important to prevent attackers from bypassing MFA through social engineering or other means.
Practical Takeaways and Actionable Advice
For Technical Readers:
- Implement Network Segmentation: Segment your network to limit the lateral movement of attackers. If an Ivanti EPMM server is compromised, ensure that the attacker cannot easily access other critical systems.
- Monitor Network Traffic: Implement deep packet inspection (DPI) to monitor network traffic for malicious patterns and indicators of compromise provided by CISA.
- Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities in your Ivanti EPMM deployment.
- Implement a Web Application Firewall (WAF): Use a WAF to filter out malicious HTTP requests targeting the
/mifs/rs/api/v2/endpoint. - Monitor File Integrity: Use file integrity monitoring (FIM) tools to detect unauthorized changes to critical system files.
For Non-Technical Readers:
- Ensure Timely Patching: Verify that your IT department has a process in place for promptly applying security patches to all systems, including Ivanti EPMM.
- Reinforce Security Awareness Training: Educate employees about the importance of strong passwords, recognizing phishing attempts, and reporting suspicious activity.
- Review Access Controls: Ensure that access to Ivanti EPMM is limited to only those employees who require it for their job functions.
- Engage with IT Security: Regularly communicate with your IT security team to understand the current threat landscape and any new security measures that need to be implemented.
How PurpleOps Can Help
- Cyber Threat Intelligence Platform: Leveraging our cyber threat intelligence platform, we provide organizations with up-to-date information on emerging threats, vulnerabilities, and attack patterns, including those targeting Ivanti EPMM.
- Breach Detection: Our breach detection services help identify and respond to security incidents quickly and effectively, minimizing the impact of a successful attack.
- Supply-Chain Risk Monitoring: Our supply-chain risk monitoring services ensure that your vendors and partners are adhering to the highest security standards, reducing the risk of third-party breaches.
- Dark Web Monitoring: We use our dark web monitoring service to detect compromised credentials and other sensitive information that may be used to target your organization.
- Red Team Operations and Penetration Testing: We can simulate real-world attacks to identify vulnerabilities and weaknesses in your security posture, providing actionable recommendations for improvement.
FAQ
Q: What are CVE-2025-4427 and CVE-2025-4428?
A: CVE-2025-4427 is an authentication bypass vulnerability, and CVE-2025-4428 is a code injection vulnerability in Ivanti EPMM, allowing attackers to gain unauthorized access and execute code remotely.
Q: How are attackers exploiting these vulnerabilities?
A: Attackers are targeting the /mifs/rs/api/v2/ endpoint with crafted HTTP GET requests containing a malicious ?format= parameter to execute commands.
Q: What steps should I take to mitigate these vulnerabilities?
A: Upgrade Ivanti EPMM to the latest version, treat MDM systems as high-value assets, and mandate phishing-resistant multifactor authentication for all staff and services.
Q: What are the Indicators of Compromise (IOCs) provided by CISA?
A: CISA provides IOCs, YARA rules, and a SIGMA rule in their report to help security teams detect and respond to malicious activity related to these attacks. Refer to the CISA report for specifics.
Q: How can PurpleOps help protect my organization from these threats?
A: PurpleOps offers a suite of cybersecurity services, including a cyber threat intelligence platform, breach detection, supply-chain risk monitoring, dark web monitoring, and red team operations, to help organizations stay secure against emerging threats. Visit PurpleOps Solutions to learn more.