Unnamed org compromised with two malware sets

An unknown attacker has abused a couple of flaws in Ivanti Endpoint Manager Mobile (EPMM) and deployed two sets of malware against an unnamed organization, according to the US Cybersecurity and Infrastructure Security Agency.

While CISA doesn't attribute this compromise to a particular group, both of these flaws, CVE-2025-4427 and CVE-2025-4428, were exploited as zero-days before Ivanti disclosed and patched them on May 13. Soon after, private security researchers blamed suspected Chinese government spies for the intrusions.

CVE-2025-4427 is an authentication bypass vulnerability and CVE-2025-4428 is a post-authentication remote code execution (RCE) flaw. The two can be chained to run malware on - and hijack - vulnerable deployments.

In a Thursday alert, CISA said the intrusion it investigated happened around May 15 after a proof-of-concept exploit became available, and the unnamed attacker accessed the organization's server running EPMM by chaining both CVEs. Both malware sets contain "loaders for malicious listeners ...