The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis of the malware deployed in attacks exploiting vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM).

The flaws are an authentication bypass in EPMM’s API component (CVE-2025-4427) and a code injection vulnerability (CVE-2025-4428) that allows execution of arbitrary code.

The two vulnerabilities affect the following Ivanti EPMM development branches and their earlier releases: 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0.

Ivanti addressed the issues on May 13, but threat actors had already been exploiting them as zero days in attacks against “a very limited number of customers.”

About a week later, threat intelligence platform EclecticIQ reported with high confidence that a China-nexus espionage group was leveraging the two vulnerabilities since at least May 15.

The researchers said that the China-linked threat actor is very knowledgeable of Ivanti EPMM’s internal architecture, being capable of repurposing system components to exfiltrate data.

CISA’s report, though, does not make any attribution and focuses only on the technical details of malicious files obtained from an organization attacked by threat actors using an exploit chain for CVE-2025-4427 and CVE-2025-4428.

Split malware delivery

The U.S. agency analyzed two sets of malware consisting of five files that the hackers used to gain initial access to on-premise Ivanti EPMM systems.

“The cyber threat actors targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests and used the ?format= parameter to send malicious remote commands,” CISA says.

The commands let the threat actor run reconnaissance activity by collecting system information, listing the root directory, mapping the network, fetching malicious files, and extracting Lightweight Directory Access Protocol (LDAP) credentials.

Each of the analyzed malware sets included a distinct loader but with the same name, and malicious listeners that allow injecting and running arbitrary code on the compromised system:

• Set 1:
  • web-install.jar (Loader 1)
  • ReflectUtil.class – included on Loader 1, manipulates Java objects to inject and manage the malicious listener in the set
  • SecurityHandlerWanListener.class – malicious listener that could be used to inject and execute code on the server, to exfiltrate data, and establish persistence
• Set 2:
  • web-install.jar (Loader 2)
  • WebAndroidAppInstaller.class – a malicious listener in Loader 2, that the threat actor could use to inject and execute code, create persistence, and exfiltrate data

According to CISA, the threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks.

The two distinct malware sets function similarly, intercepting specific HTTP requests to decode and run payloads provided by the attackers.

CISA has provided detailed indicators of compromise (IOCs), YARA rules, and a SIGMA rule to help organizations detect such attacks.

The agency’s recommendation for companies that find the analyzed malware or similar files on their systems is to isolate the affected hosts, collect and review artifacts, and create a full forensic disk image to share with CISA.

As mitigation action, CISA recommends patching affected Ivanti EPMM immediately and treating mobile device management (MDM) systems as high-value assets (HVAs) that require additional security restrictions and monitoring.