CISA Alerts of Hackers Targeting Ivanti Endpoint Manager Mobile Vulnerabilities to Distribute Malware

Cyber threat actors have weaponized two critical Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities—CVE-2025-4427 and CVE-2025-4428—to deploy sophisticated malicious loaders and listeners on compromised servers.

The malware consists of two sets of components: Loader 1 (web-install.jar, ReflectUtil.class, SecurityHandlerWanListener.class) and Loader 2 (web-install.jar, WebAndroidAppInstaller.class), both designed to inject arbitrary code and maintain persistence on Apache Tomcat deployments.

CISA obtained five malware files from an organization compromised via CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (code injection) in Ivanti EPMM.

Attackers exploited the /mifs/rs/api/v2/ endpoint by chaining HTTP GET requests with a format parameter to deliver Base64-encoded chunks, reconstruct JAR files in /tmp, and load malicious Java classes.

Once deployed, these classes intercept HTTP requests bearing specific headers or payloads to decode, decrypt, and execute arbitrary code.

Organizations running Ivanti EPMM versions 11.12.0.4 and prior, 12.3.0.1 ...