CISA Analyzes Malware From Ivanti EPMM Intrusions

The cybersecurity agency CISA has shared technical information on malware deployed in attacks targeting two vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM).

The flaws, tracked as CVE-2025-4427 (CVSS score of 5.3) and CVE-2025-4428 (CVSS score of 7.2), were disclosed on May 13, after hackers had exploited them in attacks.

The exploitation of the two issues intensified several days later, after proof-of-concept (PoC) exploit code was published. By late May, it came to light that a China-linked threat actor tracked as UNC5221 had been abusing them in attacks.

The security defects, an authentication bypass and a remote code execution (RCE) issue, found in two open source libraries integrated into EPMM, can be chained together for unauthenticated RCE.

Now, CISA has shared details, indicators-of-compromise (IoCs), and detection rules for two sets of malware (five files) that were collected from a network compromised through the exploitation of a vulnerable Ivanti EPMM ...