CISA flags some more serious Ivanti software flaws, so patch now

In a new security advisory, CISA said it was tipped off on cybercriminals using CVE-2025-4427, and CVE-2025-4428 - both affecting Ivanti’s Endpoint Manager Mobile (EPMM) solutions - to obtain initial access.

The former is an authentication bypass in the API component of EPMM 12.5.0.0 and prior, which allows attackers to access protected resources without proper credentials via the API. It was given a severity score of 7.5/10 (high) and was patched in May 2025. The latter, on the other hand, is a Remote Code Execution (RCE) bug in EPMM’s API component, allowing unauthenticated attackers to run arbitrary code via crafted API requests. It was given a severity score of 8.8/10 (high) and was fixed at approximately the same time.

Dropping malware

CISA said that the attackers used these two flaws in a chain to drop two sets of malware.

The first one includes components that inject a malicious listener into Apache Tomcat, allowing them to intercept specific HTTP requests and execute arbitrary Java code. The second malware set operates similarly, but uses a different class to process encoded password parameters in HTTP requests.

Both sets were delivered using Java Expression Language (EL) injection via HTTP GET requests, the researchers explained. The payloads were encoded in Base64 and written to temporary directories in parts, and later reconstructed. That way, the attackers were able to evade being detected by traditional security tools.

CISA did not discuss attribution so, officially, we don’t know who the threat actors, or the victims, were in this attack. The Register, however, cited earlier reports that this might have been the work of a Chinese state-sponsored attacker going after an organization in Australia.

Via The Register

You might also like

• Ivanti patches two zero-days that could lead to RCE in Endpoint Manager Mobile
• Take a look at our guide to the best authenticator app
• We've rounded up the best password managers