CISA exposes malware kits deployed in Ivanti EPMM attacks

CISA has revealed that attackers deployed Ivanti EPMM malware kits exploiting recently patched vulnerabilities. The flaws, CVE-2025-4427 and CVE-2025-4428, allow authentication bypass and code injection. Threat actors have leveraged them since May, exploiting systems whose APIs remained vulnerable.

What the vulnerabilities are

The two vulnerabilities affect Ivanti Endpoint Manager Mobile (EPMM) in versions 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0. CVE-2025-4427 allows attackers to bypass authentication in EPMM’s API component. Meanwhile, CVE-2025-4428 enables them to inject and execute arbitrary code. Although Ivanti released patches in May, some customers remained unprotected and exposed.

How attackers used malware kits

Threat actors sent malicious requests to the /mifs/rs/api/v2/ endpoint via HTTP GET requests, using the format= parameter to deliver remote commands. Attackers split malicious components into Base64-encoded chunks. These malware kits include loaders like web-install.jar, listener classes (e.g. SecurityHandlerWanListener, ReflectUtil.class) that manage persistence and data exfiltration. CISA analyzed two distinct sets of malware; both function similarly.

Threat actors and timeline

A China-linked espionage group likely started exploiting these vulnerabilities around mid-May 2025. Researchers found the group has good knowledge of Ivanti EPMM internals. They repurposed legitimate system features to gather credentials, map networks, and pull sensitive files. Although CISA does not confirm attribution in detail, technical evidence points in this direction.

Risk to organizations

Many organizations use EPMM solutions for mobile device and endpoint management. An exposed API endpoint with these vulnerabilities puts them at risk of remote takeover. Attackers could use malware kits to exfiltrate data, establish persistence, or move laterally within networks. Unpatched systems or those with exposed interfaces face particular danger.

What defenders should do

Admins should act immediately:

• Patch affected Ivanti EPMM versions (11.12.0.4, 12.3.0.1, 12.4.0.1, 12.5.0.0).
• Restrict public access to EPMM APIs and treat them as high-value assets.
• Scan for malware artifacts and loaders like web-install.jar.
• Collect forensic evidence: log files, process artifacts, and disk images.
• Monitor for suspicious API calls, especially on endpoints exposed via HTTP GET with format= parameter.

Conclusion

Ivanti EPMM malware kits expose serious hazards, especially for organizations that left vulnerable endpoints accessible. With CVE-2025-4427 and CVE-2025-4428 already exploited in the wild, defenders must patch immediately, clamp down on exposed APIs, and hunt for signs of compromise. Delaying action could lead to data exfiltration, regulatory liability, or system takeovers.