CISA Alerts of Hackers Targeting Ivanti EPMM Vulnerabilities (CVE-2025-4427, CVE-2025-4428)
Estimated reading time: 15 minutes
Key Takeaways:
- CISA warns of active exploitation of Ivanti EPMM vulnerabilities CVE-2025-4427 and CVE-2025-4428.
- Attackers deploy sophisticated malware loaders for arbitrary code execution and data exfiltration.
- Immediate patching, network segmentation, and enhanced monitoring are crucial mitigation strategies.
- Fortra GoAnywhere MFT (CVE-2025-10035) and Microsoft Entra ID (CVE-2025-55241) vulnerabilities also pose significant risks.
- PurpleOps offers solutions to enhance cybersecurity posture and protect against these threats.
Table of Contents:
- CISA Alerts of Hackers Targeting Ivanti EPMM Vulnerabilities (CVE-2025-4427, CVE-2025-4428)
- Weaponized Ivanti EPMM Vulnerabilities: CVE-2025-4427 and CVE-2025-4428
- Technical Deep Dive: Malware and Exploitation
- Loader 1
- Loader 2
- Attack Vector
- Indicators of Compromise (IOCs)
- Mitigation Strategies
- Fortra GoAnywhere MFT Vulnerability: CVE-2025-10035
- Microsoft Entra ID Flaw: CVE-2025-55241
- Actionable Advice for Technical and Non-Technical Readers
- How PurpleOps Can Help
- Explore PurpleOps Services Today
- FAQ
Cybersecurity remains a critical concern for organizations of all sizes. The latest alert from the Cybersecurity and Infrastructure Security Agency (CISA) highlights the active exploitation of vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). This blog post details the vulnerabilities, the malware being deployed, and the recommended mitigations, providing actionable insights for technical and non-technical readers. The issues addressed involve CVE-2025-4427 and CVE-2025-4428.
Weaponized Ivanti EPMM Vulnerabilities: CVE-2025-4427 and CVE-2025-4428
CISA has issued an alert regarding the exploitation of two critical vulnerabilities in Ivanti EPMM: CVE-2025-4427 and CVE-2025-4428. Cyber threat actors are actively using these vulnerabilities to deploy sophisticated malicious loaders and listeners on compromised servers. This exploitation can lead to significant security breaches, including arbitrary code execution and data exfiltration.
Ivanti EPMM versions 11.12.0.4 and earlier, 12.3.0.1 and earlier, 12.4.0.1 and earlier, and 12.5.0.0 and earlier are affected. Patches addressing these vulnerabilities were released and publicly disclosed by Ivanti on May 13, 2025, and CISA added the CVEs to its Known Exploited Vulnerabilities Catalog on May 19, 2025. Despite the availability of patches, exploitation continues, emphasizing the need for immediate action.
Technical Deep Dive: Malware and Exploitation
The deployed malware consists of two sets of components, referred to as Loader 1 and Loader 2. Both loaders are designed to inject arbitrary code and maintain persistence on Apache Tomcat deployments.
Loader 1
- Components:
web-install.jar,ReflectUtil.class,SecurityHandlerWanListener.class - Functionality: Loader 1’s JAR file hosts
ReflectUtil.class, which injects a malicious listener (SecurityHandlerWanListener) into Apache Tomcat. This is achieved by bypassing JDK module restrictions, decoding a Base64-encoded, gzip-compressed listener class, and adding it to the servlet listener list. - Exploitation: The
SecurityHandlerWanListenerintercepts HTTP requests containing a specific pass string, Referer header, and payload. It then decodes and AES-decrypts Base64 payloads to define and execute new classes on the server, enabling arbitrary code execution and data exfiltration.
Loader 2
- Components:
web-install.jar,WebAndroidAppInstaller.class - Functionality: Loader 2’s JAR file masquerades
WebAndroidAppInstaller.classas part ofcom.mobileiron.service. It validates requests with the content typeapplication/x-www-form-urlencoded, extracts a Base64-encoded password parameter, AES-decrypts it, dynamically loads new classes, encrypts and encodes execution results with the same key, and returns an MD5-hashed response. - Exploitation: This loader allows attackers to execute arbitrary code and receive command output. The Java code snippet used for decoding a Base64 string involves using
sun.misc.BASE64Decoderto calldecodeBuffer, and if that fails, it usesjava.util.Base64to callgetDecoder.
Attack Vector
Attackers exploit the /mifs/rs/api/v2/ endpoint by chaining HTTP GET requests with a format parameter to deliver Base64-encoded chunks. These chunks are reconstructed into JAR files in /tmp, and malicious Java classes are loaded. This method allows attackers to evade signature-based controls and file size checks.
Indicators of Compromise (IOCs)
Detecting and preventing exploitation requires vigilance and the deployment of provided Indicators of Compromise (IOCs). CISA has provided YARA rules and a SIGMA rule to aid in detection.
- YARA Rules: CISA has created YARA rules for both loaders and listeners. These rules can be used to detect JAR and class file artifacts by matching unique SHA-256 hashes and byte patterns. Specifically, deploy YARA rules
CISA_251126_01throughCISA_251126_05to detect JAR and class file artifacts. - SIGMA Rule: The provided SIGMA rule (AR25-260A/B SIGMA YAML) can identify suspicious HTTP GET requests, class names, file hashes, and network artifacts. This rule helps flag abnormal HTTP GET requests, class loading activity, and network IOCs such as known malicious IPs.
Mitigation Strategies
To mitigate the risk of exploitation, organizations should implement the following measures:
- Immediate Upgrade: Upgrade to the latest Ivanti EPMM release without delay. This is the most effective way to eliminate the vulnerabilities.
- Network Segmentation: Implement network segmentation to limit the lateral movement of attackers. This helps contain the impact of a potential breach.
- Application Allowlisting: Use application allowlisting to ensure that only authorized applications can run on the system. This reduces the risk of malware execution.
- Multi-Factor Authentication (MFA): Enforce multi-factor authentication for administrative interfaces. Although Actor tokens bypassed MFA, it remains a crucial security measure for other access points.
- Regular Log Review: Conduct regular log reviews to detect anomalous commands or file activity. This helps identify potential security incidents early.
- Treat MDM Systems as High-Value Assets: Enforce enhanced restrictions and continuous monitoring on MDM platforms as high-value assets. This ensures that these critical systems receive the attention they require.
- Review Tenant Audit Logs: Review tenant audit logs for suspicious modifications, especially Global Admin changes logged under Microsoft service display names.
Fortra GoAnywhere MFT Vulnerability: CVE-2025-10035
In addition to the Ivanti EPMM vulnerabilities, another significant threat involves a maximum severity flaw in Fortra’s GoAnywhere MFT’s License Servlet, tracked as CVE-2025-10035. This vulnerability can be exploited in command injection attacks due to a deserialization of untrusted data weakness.
Technical Details
- Vulnerability: CVE-2025-10035 is a deserialization vulnerability in the License Servlet of Fortra’s GoAnywhere MFT.
- Impact: Allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, potentially leading to command injection.
- Mitigation: Fortra has released GoAnywhere MFT 7.8.4 and Sustain Release 7.6.3, which include patches for CVE-2025-10035. Organizations should upgrade to these versions immediately. If an immediate upgrade is not possible, ensure that the GoAnywhere Admin Console cannot be accessed over the internet.
Monitoring and Detection
Security analysts at the Shadowserver Foundation are monitoring over 470 GoAnywhere MFT instances. Organizations should also actively monitor their GoAnywhere MFT instances for potential exploitation attempts.
Microsoft Entra ID Flaw: CVE-2025-55241
Another critical vulnerability, CVE-2025-55241, was discovered in Microsoft’s Entra ID (formerly Azure AD) in July 2025. This flaw could have allowed attackers to gain complete administrative control over any tenant in Microsoft’s global cloud infrastructure.
Technical Details
- Vulnerability: CVE-2025-55241 involved the misuse of “Actor tokens,” internal-use tokens not governed by Conditional Access or other common security policies. The Azure AD Graph API failed to properly verify that Actor tokens were bound to the tenant being accessed.
- Impact: Attackers could impersonate Global Administrators across tenants, seizing control of Microsoft 365 services and Azure resources. They could modify tenant configurations, create or hijack accounts, and grant any level of permissions.
- Mitigation: Microsoft patched the issue in July 2025 and implemented further mitigations in August. Ensure that Microsoft’s patch for CVE-2025-55241 is applied.
Detection and Remediation
Organizations should take the following steps to detect and remediate potential exploitation:
- Review Audit Logs: Review tenant audit logs for suspicious modifications, especially Global Admin changes logged under Microsoft service display names.
- Use KQL Detection Rule: Utilize the researcher’s KQL detection rule to hunt for potential malicious Actor token activity within the environment.
- Restrict Legacy Authentication: Remove or restrict legacy authentication mechanisms that may still be in use.
- Disable Untrusted B2B Accounts: Disable unused or untrusted B2B guest accounts to prevent cross-tenant pivoting.
- Monitor for Privilege Escalation: Monitor for abnormal privilege escalation events, especially new admin role assignments or application consent grants.
- Apply Conditional Access and MFA Policies: Apply Conditional Access and MFA policies across all accounts where possible.
- Review Service Principal and Application Permissions: Regularly review service principal and application permissions to detect unauthorized or excessive access rights.
Actionable Advice for Technical and Non-Technical Readers
For Technical Readers:
- Implement IOCs: Deploy the provided YARA and SIGMA rules to detect potential exploitation attempts.
- Patch Management: Ensure all systems are patched with the latest security updates, focusing on Ivanti EPMM and GoAnywhere MFT.
- Log Monitoring: Implement comprehensive log monitoring to detect anomalous activities.
- Threat Hunting: Conduct regular threat hunting exercises to proactively identify and mitigate potential threats.
- Incident Response Plan: Develop and maintain an incident response plan to effectively handle security incidents.
For Non-Technical Readers:
- Awareness Training: Provide regular security awareness training to employees to recognize and report suspicious activities.
- Policy Enforcement: Enforce strong security policies, including password management, data handling, and access controls.
- Vendor Management: Ensure that third-party vendors adhere to strict security standards.
- Risk Assessment: Conduct regular risk assessments to identify and prioritize security risks.
- Executive Support: Ensure that cybersecurity initiatives receive adequate support and resources from executive leadership.
How PurpleOps Can Help
PurpleOps provides comprehensive cybersecurity solutions to help organizations protect against threats like the Ivanti EPMM, Fortra GoAnywhere MFT, and Microsoft Entra ID vulnerabilities. Our services include:
- Cyber Threat Intelligence Platform: We offer a cyber threat intelligence platform that provides real-time updates on emerging threats, vulnerabilities, and indicators of compromise. This enables organizations to proactively defend against potential attacks. Through our dark web monitoring service and underground forum intelligence, we can detect discussions and plans related to exploiting these vulnerabilities.
- Breach Detection: Our breach detection services help organizations identify and respond to security incidents quickly and effectively. We provide real-time alerts and actionable insights to minimize the impact of a breach.
- Supply-Chain Risk Monitoring: PurpleOps supply-chain risk monitoring helps organizations assess and mitigate the risks associated with their supply chain. This includes monitoring vendors for vulnerabilities and potential security breaches.
- Penetration Testing: We offer penetration testing services to identify vulnerabilities in your systems and applications. Our team of experts can simulate real-world attacks to help you understand your security posture and improve your defenses. We provide network penetration testing to ensure systems are secured against attacks.
- Red Team Operations: Our red team operations provide a comprehensive assessment of your security defenses. We simulate advanced attacks to identify weaknesses and provide recommendations for improvement.
By leveraging PurpleOps’ services, organizations can enhance their cybersecurity posture and effectively protect against emerging threats.
Explore PurpleOps Services Today
Don’t wait until it’s too late. Explore our comprehensive cybersecurity solutions and protect your organization from evolving threats. Visit our website at https://www.purple-ops.io/platform/ to learn more about our services and how we can help you stay secure. Contact us for more information at PurpleOps Solutions.
FAQ
What are CVE-2025-4427 and CVE-2025-4428?
CVE-2025-4427 and CVE-2025-4428 are critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) that are being actively exploited by cyber threat actors.
What is the impact of these vulnerabilities?
Exploitation of these vulnerabilities can lead to arbitrary code execution, data exfiltration, and significant security breaches.
How can I mitigate these vulnerabilities?
Mitigation strategies include immediate upgrade to the latest Ivanti EPMM release, network segmentation, application allowlisting, and regular log review.
What are the indicators of compromise (IOCs) for these attacks?
IOCs include specific YARA rules and a SIGMA rule provided by CISA, which can detect malicious JAR and class file artifacts, suspicious HTTP GET requests, and network artifacts.
How can PurpleOps help protect against these threats?
PurpleOps provides comprehensive cybersecurity solutions, including cyber threat intelligence, breach detection, supply-chain risk monitoring, and penetration testing services.