CISA flags some more serious Ivanti software flaws, so patch now

News
By published

Two worrying Ivanti flaws are being abused in the wild

Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
(Image credit: Shutterstock)
  • CISA warns attackers chained CVE-2025-4427 and CVE-2025-4428 to breach Ivanti EPMM systems
  • Malware was delivered via EL injection and reconstructed from Base64-encoded payloads
  • CISA did not confirm attribution; reports suggest possible Chinese targeting of Australian entity

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning organizations about two patched Ivanti flaws being chained together in real-life attacks.

In a new security advisory, CISA said it was tipped off on cybercriminals using CVE-2025-4427, and CVE-2025-4428 - both affecting Ivanti’s Endpoint Manager Mobile (EPMM) solutions - to obtain initial access.

The former is an authentication bypass in the API component of EPMM 12.5.0.0 and prior, which allows attackers to access protected resources without proper credentials via the API. It was given a severity score of 7.5/10 (high) and was patched in May 2025. The latter, on the other hand, is a Remote Code Execution (RCE) bug in EPMM’s API component, allowing unauthenticated attackers to run arbitrary code via crafted API requests. It was given a severity score of 8.8/10 (high) and was fixed at approximately the same time.

Dropping malware

CISA said that the attackers used these two flaws in a chain to drop two sets of malware.

The first one includes components that inject a malicious listener into Apache Tomcat, allowing them to intercept specific HTTP requests and execute arbitrary Java code. The second malware set operates similarly, but uses a different class to process encoded password parameters in HTTP requests.

Both sets were delivered using Java Expression Language (EL) injection via HTTP GET requests, the researchers explained. The payloads were encoded in Base64 and written to temporary directories in parts, and later reconstructed. That way, the attackers were able to evade being detected by traditional security tools.

CISA did not discuss attribution so, officially, we don’t know who the threat actors, or the victims, were in this attack. The Register, however, cited earlier reports that this might have been the work of a Chinese state-sponsored attacker going after an organization in Australia.

Via The Register

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.