- CISA warns attackers chain CVE-2025-4427 and CVE-2025-4428 to violate Ivanti EPMM Systems
- Malware was delivered via electric injection and reconstructed from base64-coded payload
- CISA did not confirm attribution; Reports suggest possible Chinese targeting against Australian device
American cyber security and infrastructure security agency (CISA) warns organizations of two patched Ivanti deficiencies bound together in real life.
In a new security advice, CISA said it was tipped by cyber criminals using CVE-2025-4427 and CVE-2025-4428 BEATH AFFEEE IVANTIS ENDPOINT Manager Mobile (EPMM) Solutions to gain initial access.
The former is an approval compass in the API component of EPMM 12.5.0.0 and before, giving attackers access to protected resources without proper credentials via API. It got a severity of 7.5/10 (high) and was patched in May 2025. The latter on the other hand is a remote code execution (RCE) error in EPMM’s API component, allowing unauthorized attackers to run arbitrary code via designed API requests. It got a severity of 8.8/10 (high) and was determined at about the same time.
Dropped malware
Cisa said attackers used these two shortcomings in a chain to drop two sets of malware.
The first includes components that inject a malicious listener in Apache Tomcat, allowing them to intercept specific HTTP requests and perform arbitrary JAVA code. The second malware set works similarly, but uses another class to treat coded password parameters in HTTP requests.
Both sets were delivered using Java Expression Language (EL) injection via HTTP Get -requests, the researchers explained. The payloads were coded in base64 and written for temporary folders in parts and later reconstructed. In this way, attackers were able to avoid being discovered by traditional security tools.
CISA did not discuss attribution so we officially do not know who the threat actors or victims were in this attack. RegisteredHowever, previous reports quoted that this could have been working for a Chinese state -sponsored striker who went after an organization in Australia.
Via Registered
