Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis of the malware deployed in attacks exploiting vulnerabilities affecting Ivanti Endpoint Manager Mobile (EPMM). [...]
Analysis Summary
# Incident Report: Ivanti EPMM Zero-Day Exploitation and Malware Deployment
## Executive Summary
Threat actors exploited zero-day vulnerabilities (CVE-2025-4427 and CVE-2025-4428) in Ivanti Endpoint Manager Mobile (EPMM) to gain initial access to victim environments. The attackers used sophisticated, multi-stage malware (two distinct sets involving Java-based loaders and listeners) delivered via segmented HTTP requests to execute arbitrary code, perform reconnaissance, and establish persistence. CISA provided analysis of the deployed malware and recommended urgent patching and enhanced monitoring of MDM systems.
## Incident Details
- Discovery Date: On or around May 13, 2025 (when Ivanti patched the flaws, exploitation was already occurring)
- Incident Date: Exploitation started before May 15, 2025
- Affected Organization: A "very limited number of customers" (Specific organizations undisclosed in this summary)
- Sector: Unspecified (Likely Enterprise/Government based on later espionage reports)
- Geography: Global (Implied by CISA analysis of on-premise systems)
## Timeline of Events
### Initial Access
- Date/Time: At least since May 15, 2025
- Vector: Exploitation of Ivanti EPMM vulnerabilities (CVE-2025-4427 and CVE-2025-4428).
- Details: Attackers targeted the `_/mifs/rs/api/v2/_` endpoint using HTTP GET requests with the `?format=_` parameter to send malicious remote commands. This led to code injection and authentication bypass.
### Lateral Movement
- Details: The analysis focuses primarily on initial access and persistence establishment via injected code execution, capabilities described in the deployed `SecurityHandlerWanListener.class` and `WebAndroidAppInstaller.class`. LDAP credential extraction was also observed, suggesting steps toward internal reconnaissance.
### Data Exfiltration/Impact
- Details: The malicious listeners were capable of exfiltrating data. The primary impact stemmed from the ability to execute arbitrary code and establish persistence on high-value MDM systems.
### Detection & Response
- Detection: CISA published an analysis based on forensic artifacts obtained from an attacked organization. Threat intelligence from EclecticIQ independently reported on the exploitation starting May 15.
- Response actions taken: Ivanti issued fixes on May 13. CISA released technical guidance detailing the malware and IOCs.
## Attack Methodology
- Initial Access: Chaining of CVE-2025-4427 (Auth Bypass) and CVE-2025-4428 (Code Injection) via crafted HTTP GET requests against the EPMM API endpoint.
- Persistence: Established via malicious listeners (`SecurityHandlerWanListener.class` or `WebAndroidAppInstaller.class`) deployed post-exploitation to inject and execute code.
- Privilege Escalation: Not explicitly detailed, but successfully achieving code execution on the EPMM server implies high-level privileges were attained or bypassed.
- Defense Evasion: Attack components were delivered in segmented, Base64-encoded chunks via HTTP requests, likely to evade simple signature-based web application firewalls.
- Credential Access: Ability to fetch and extract Lightweight Directory Access Protocol (LDAP) credentials was observed.
- Discovery: Attackers ran reconnaissance to collect system information, list the root directory, and map the network.
- Lateral Movement: Network mapping was performed, though specific lateral movement techniques beyond the initial breach point are not detailed.
- Collection: LDAP credentials were targeted for extraction.
- Exfiltration: Malicious listeners were capable of exfiltrating data.
- Impact: Remote code execution and session persistence on EPMM servers.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: LDAP credentials were targeted; potential exposure of enterprise mobile device management data.
- Operational: Compromise of MDM systems, which are considered High-Value Assets (HVAs).
- Reputational: Minor, as exploitation began pre-patch, but reflects vulnerability in third-party enterprise software.
## Indicators of Compromise
*Note: As this is an analysis of threat actor tools, specific IOCs are not provided in full detail (e.g., actual URLs/files) but are categorized:*
- Network indicators: Malicious HTTP GET requests targeting `_/mifs/rs/api/v2/_` with the `?format=_` parameter.
- File indicators: Two sets of uploaded files including Java components such as `web-install.jar`, `ReflectUtil.class`, and `SecurityHandlerWanListener.class`.
- Behavioral indicators: Attempts to decode and run segmented, Base64-encoded payloads delivered over HTTP.
## Response Actions
- Containment: Organizations finding the malware were advised to immediately isolate the affected hosts.
- Eradication steps: Implicitly, this involves removing the deployed Java files and reversing any configurations made by the threat actor.
- Recovery actions: Collecting and reviewing artifacts, and creating forensic disk images for submission to CISA.
## Lessons Learned
- Zero-day vulnerabilities in critical management software (like MDM solutions) pose an immediate, high-impact risk.
- Threat actors are capable of developing sophisticated, segmented delivery mechanisms for fileless/in-memory malware.
- Repurposing system components (as noted by EclecticIQ regarding the suspected China-nexus group) can be a highly effective infiltration technique.
## Recommendations
- Immediately patch all Ivanti EPMM servers to the versions released on or after May 13, 2025.
- Treat all Mobile Device Management (MDM) systems as High-Value Assets (HVAs) requiring increased security restrictions, elevated monitoring, and segmentation away from general network access.
- Implement enhanced logging and alerting on web application endpoints susceptible to command injection.