On September 18, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released an analysis of two newly discovered malware sets targeting Ivanti Endpoint Manager Mobile (EPMM). Cyber threat actors exploited the CVE-2025-4427 and CVE-2025-4428 vulnerabilities to deploy loaders and malicious listeners capable of running arbitrary code on compromised servers. Organizations are advised to patch vulnerable systems as soon as possible to mitigate the risk of compromise.
In this blog, we explained how adversaries weaponized the Ivanti EPMM CVE-2025-4427 and CVE-2025-4428 vulnerabilities and how organizations can defend against these attacks.
Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform
Ivanti Endpoint Manager Mobile (EPMM) is an on-premises mobile device management (MDM) platform. It helps organizations secure and control employee devices, enforce policies, and manage app access. Because it sits at the center of device administration with broad privileges, EPMM is a high-value target for attackers. In May 2025, Ivanti released an advisory on two vulnerabilities affecting their EPMM product: CVE-2025-4427 and CVE-2025-4428.
CVE-2025-4427 is an authentication bypass vulnerability. The vulnerability allows unauthenticated users to send crafted requests to specific API endpoints and trick the system into treating them as if they were legitimate, logged-in clients. CVE-2025-4427 has a CVSS score of 7.5 (High).
CVE-2025-4428 is a code injection vulnerability that allows untrusted input to be passed directly into an execution context. In this case, attackers were able to exploit the way Ivanti's API processed parameters, injecting malicious Java Expression Language (EL) code into requests sent to the /mifs/rs/api/v2/ endpoint. CVE-2025-4428 has a CVSS score of 8.8 (High).
In observed attacks, CVE-2025-4427 served as the initial access point. Once authentication was bypassed, adversaries chained the flaw with CVE-2025-4428 (Code Injection) to run arbitrary code on the compromised server. This combination is particularly dangerous because it turns a system designed to be a locked-down administrative hub into an open gateway for adversaries. Its impact often reaches far beyond a single server. Since EPMM centrally manages thousands of mobile devices in enterprise environments, a successful compromise could give attackers the ability to harvest credentials, distribute malicious applications, and move laterally into broader corporate networks.
CISA's latest analysis revealed that threat actors deployed two separate malware sets on compromised Ivanti EPMM servers. Both followed the same design principle: a loader installs a malicious listener within the application environment. Once active, these listeners function as covert backdoors, intercepting normal HTTP request processing to inject and execute attacker-controlled code.
The first malware set identified by CISA began with Loader 1, a Java Archive (JAR) file named web-install.jar. This file was dropped into the /tmp directory of the compromised server and served as the initial entry point for the malicious chain. To avoid suspicion, it masqueraded as part of the legitimate org.apache.http package, making it appear consistent with normal Apache Tomcat classes. By blending in with trusted components of the application, it reduced the likelihood of detection during routine inspections.
At the heart of this set was ReflectUtil.class, which acted as the controller. Its purpose was to inject the malicious listener into Tomcat at runtime. To achieve this, ReflectUtil bypassed Java Development Kit (JDK) module restrictions and used reflective programming techniques to manipulate Java objects directly. If the targeted listener was not already present, ReflectUtil could reconstruct it on the fly. It accomplished this by decoding a Base64-encoded string, decompressing it, and then loading the resulting bytecode directly into memory. This approach gave the malware both persistence and fault tolerance, ensuring the listener could be reintroduced even if an administrator attempted to remove it.
The final component, SecurityHandlerWanListener.class, served as the malicious listener itself. Once injected into Tomcat's request-handling pipeline, it carefully monitored incoming HTTP traffic. To avoid detection, it only activated when specific request conditions were met, including a unique pass string and a particular Referer header. When triggered, the listener would extract attacker-supplied payloads from the HTTP request body, decode them from Base64, and decrypt them using an AES cipher with a key known only to the adversaries. The decrypted data was then used to dynamically create a new Java class, which could be executed immediately within the server's memory.
The end result was that attackers gained the ability to execute arbitrary code inside Tomcat without leaving behind obvious files or artifacts on disk. This in-memory execution model gave them a high degree of stealth and persistence, enabling long-term control over the compromised server while evading traditional file-based detection methods.
The second malware set analyzed by CISA followed a similar design but with its own distinct components. At its core was Loader 2, another web-install.jar file. Unlike the larger Loader 1, this JAR was more compact but equally dangerous. It was disguised to appear as though it belonged to the com.mobileiron.service package, a namespace normally associated with Ivanti's legitimate codebase. By masquerading as a trusted component, Loader 2 was able to slip into the Tomcat environment without raising immediate suspicion. Its role was to bootstrap the more advanced functionality of the malicious listener that followed.
Once deployed, Loader 2 executed WebAndroidAppInstaller.class, the centerpiece of this malware set. This class operated as a malicious listener, integrating itself into Tomcat's servlet context to intercept and process incoming HTTP requests. Unlike Malware Set 1, which relied on very specific header values, this listener looked for requests with a content type of application/x-www-form-urlencoded. When such a request was detected, it extracted a parameter labeled password from the request body.
The malicious design of this component lay in how it handled that password value. The parameter was first Base64-decoded and then decrypted using a hard-coded AES key (3c6e0b8a9c15224a) embedded directly in the class. The decrypted data defined a new Java class, which the malware immediately loaded and executed within the server's memory. To add an extra layer of obfuscation, the newly generated class output was re-encrypted using the same AES key and Base64-encoded before being sent back to the attacker in the HTTP response.
To further conceal its activity, the listener performed an integrity check on each interaction. It generated an MD5 hash based on the password parameter and the hard-coded key, and then used fragments of this hash to structure its response. This gave attackers confidence that they were communicating with their implant securely, while also complicating detection efforts for defenders monitoring traffic.
We also strongly suggest simulating the Ivanti EPMM CVE-2025-4427 and CVE-2025-4428 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Ivanti EPMM CVE-2025-4427 and CVE-2025-4428 vulnerability exploitation attacks:
|
Threat ID |
Threat Name |
Attack Module |
|
28919 |
Ivanti EPM Web Attack Campaign |
Web Application |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Ivanti EPMM CVE-2025-4427 and CVE-2025-4428 vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs has validated the following signatures for Ivanti EPMM CVE-2025-4427 and CVE-2025-4428 vulnerabilities:
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGFW |
asm_dynamic_prop_CVE_2025_4427 |
Ivanti EPMM Remote Code Execution |
|
F5 BIG-IP |
200204016 |
Ivanti EPMM Expression Injection |
|
ForcePoint NGFW |
HTTP_CRL-Ivanti-Endpoint-Manager-Mobile-MobileIron-File-Service-isValid-Code-Injection-CVE-2025-4428 |
|
|
Fortigate IPS |
58055 |
Ivanti.EPMM.RSAPIV2.Remote.Code.Execution |
|
FortiWeb |
050170001 |
Generic Attacks |
|
Imperva SecureSphere |
CVE-2025-4428: Ivanti EPMM Unauth RCE Chain v2 |
|
|
Imperva SecureSphere |
CVE-2025-4428: Ivanti EPMM Unauth RCE Chain |
|
|
Palo Alto |
96267 |
Ivanti Endpoint Manager Mobile Remote Code Execution Vulnerability |
|
Trellix |
0x6309f700 |
HTTP: Ivanti Endpoint Manager Mobile Authentication Bypass Vulnerability (CVE-2025-4427) |
|
Trend Micro TippingPoint |
45925 |
HTTP: Ivanti Endpoint Manager Mobile Remote Code Execution Vulnerability |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
[1] "Malicious Listener for Ivanti Endpoint Mobile Management Systems." Available: https://www.cisa.gov/news-events/analysis-reports/ar25-261a