- CISA warns attackers chained CVE-2025-4427 and CVE-2025-4428 to breach Ivanti EPMM systems
- Malware was delivered via EL injection and reconstructed from Base64-encoded payloads
- CISA did not confirm attribution; reports suggest possible Chinese targeting of Australian entity
The US Cybersecurity and Infrastructure Security Agency (CISA) is warning organizations about two patched Ivanti flaws being chained together in real-life attacks.
In a new security advisory, CISA said it was tipped off on cybercriminals using CVE-2025-4427, and CVE-2025-4428 – both affecting Ivanti’s Endpoint Manager Mobile (EPMM) solutions – to obtain initial access.
The former is an authentication bypass in the API component of EPMM 12.5.0.0 and prior, which allows attackers to access protected resources without proper credentials via the API. It was given a severity score of 7.5/10 (high) and was patched in May 2025. The latter, on the other hand, is a Remote Code Execution (RCE) bug in EPMM’s API component, allowing unauthenticated attackers to run arbitrary code via crafted API requests. It was given a severity score of 8.8/10 (high) and was fixed at approximately the same time.
Dropping malware
CISA said that the attackers used these two flaws in a chain to drop two sets of malware.
The first one includes components that inject a malicious listener into Apache Tomcat, allowing them to intercept specific HTTP requests and execute arbitrary Java code. The second malware set operates similarly, but uses a different class to process encoded password parameters in HTTP requests.
Both sets were delivered using Java Expression Language (EL) injection via HTTP GET requests, the researchers explained. The payloads were encoded in Base64 and written to temporary directories in parts, and later reconstructed. That way, the attackers were able to evade being detected by traditional security tools.
CISA did not discuss attribution so, officially, we don’t know who the threat actors, or the victims, were in this attack. The Register, however, cited earlier reports that this might have been the work of a Chinese state-sponsored attacker going after an organization in Australia.
Via The Register
You might also like
https://cdn.mos.cms.futurecdn.net/TWkP7ZurZMY6uepDxsK6Ha.jpg
Source link
