CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Exploitation of Ivanti EPMM Vulnerabilities (CVE-2025-4427, CVE-2025-4428) Leads to Malware Deployment

First reported
Last updated
4 unique sources, 8 articles

Summary

Hide ▲

Two malware strains were discovered in an organization's network after attackers exploited two zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities, CVE-2025-4427 and CVE-2025-4428, allow for authentication bypass and remote code execution, respectively. Attackers used these flaws to gain access to the EPMM server, execute arbitrary code, and maintain persistence. The attack began around May 15, 2025, following the publication of a proof-of-concept exploit. The malware sets include loaders that enable arbitrary code execution and data exfiltration. The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0 and their earlier releases. A China-nexus espionage group was leveraging the vulnerabilities since at least May 15, 2025. The threat actor targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests and used the ?format= parameter to send malicious remote commands. The malware sets include distinct loaders with the same name, and malicious listeners that allow injecting and running arbitrary code on the compromised system. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. Organizations are advised to update their EPMM instances, monitor for suspicious activity, and implement access restrictions to prevent unauthorized access to mobile device management systems. Ivanti has disclosed two additional critical vulnerabilities, CVE-2026-1281 and CVE-2026-1340, which were exploited in zero-day attacks. These code-injection vulnerabilities allow remote attackers to execute arbitrary code on vulnerable devices without authentication. Ivanti has released RPM scripts to mitigate the vulnerabilities and advises applying them as soon as possible. The vulnerabilities will be permanently fixed in EPMM version 12.8.0.0, scheduled for release later in Q1 2026. CISA has added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation. The vulnerabilities affect EPMM versions 12.5.0.0 and prior, 12.6.0.0 and prior, and 12.7.0.0 and prior (Fixed in RPM 12.x.0.x), and EPMM 12.5.1.0 and prior and 12.6.1.0 and prior (Fixed in RPM 12.x.1.x). The RPM patch does not survive a version upgrade and must be reapplied if the appliance is upgraded to a new version. The vulnerabilities affect the In-House Application Distribution and the Android File Transfer Configuration features and do not affect other products, including Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), or Ivanti Sentry. Successful exploitation of the EPMM appliance will enable arbitrary code execution on the appliance and allow lateral movement to the connected environment. EPMM contains sensitive information about devices managed by the appliance. Legitimate use of the capabilities will result in 200 HTTP response codes in the Apache Access Log, whereas successful or attempted exploitation will cause 404 HTTP response codes. Customers are advised to review EPMM administrators for new or recently changed administrators, authentication configuration, new push applications for mobile devices, configuration changes to applications, new or recently modified policies, and network configuration changes. In the event of compromise, users are advised to restore the EPMM device from a known good backup or build a replacement EPMM and then migrate data to the device. After restoring, users should reset the password of any local EPMM accounts, reset the password for the LDAP and/or KDC service accounts, revoke and replace the public certificate used for EPMM, and reset the password for any other internal or external service accounts configured with the EPMM solution. The Dutch Data Protection Authority (AP) and the Council for the Judiciary confirmed that their systems were impacted by cyber attacks exploiting Ivanti EPMM vulnerabilities. Work-related data of AP employees, including names, business email addresses, and telephone numbers, were accessed by unauthorized persons. The European Commission identified traces of a cyber attack that may have resulted in access to names and mobile numbers of some of its staff members. Finland's state information and communications technology provider, Valtori, disclosed a breach that exposed work-related details of up to 50,000 government employees. The attacker gained access to information used in operating the service, including names, work email addresses, phone numbers, and device details. Investigations showed that the management system did not permanently delete removed data but only marked it as deleted, potentially compromising device and user data belonging to all organizations that have used the service during its lifecycle. The European Commission's central infrastructure managing mobile devices discovered signs of a breach on January 30, 2026, which may have resulted in access to staff names and mobile numbers. The Dutch justice and security secretary confirmed that the Council for the Judiciary (Rvdr) and the Dutch Data Protection Authority (AP) were breached, with unauthorized access to work-related data of AP employees, including names, business email addresses, and telephone numbers. Finnish government ICT center Valtori discovered a breach on January 30, 2026, affecting its mobile device management service, potentially exposing details of up to 50,000 government workers. Ivanti released patches for two critical (CVSS 9.8) zero-day bugs in EPMM on January 29, 2026, noting that a very limited number of customers had been exploited at the time of disclosure. CVE-2026-1281 and CVE-2026-1340 are code injection flaws that could allow attackers to achieve unauthenticated remote code execution. A significant chunk of the exploitation attempts targeting a newly disclosed security flaw in Ivanti Endpoint Manager Mobile (EPMM) can be traced back to a single IP address on bulletproof hosting infrastructure offered by PROSPERO. GreyNoise recorded 417 exploitation sessions from 8 unique source IP addresses between February 1 and 9, 2026, with 83% originating from 193.24.123[.]42. The same IP address exploited three other CVEs across unrelated software, indicating the use of automated tooling. 85% of the exploitation sessions beaconed home via DNS to confirm target exploitability without deploying malware or exfiltrating data. PROSPERO is linked to another autonomous system called Proton66, which has a history of distributing desktop and Android malware. Defused Cyber reported a "sleeper shell" campaign that deployed a dormant in-memory Java class loader to compromised EPMM instances, indicative of initial access broker tradecraft. Organizations are advised to apply patches, audit internet-facing MDM infrastructure, review DNS logs for OAST-pattern callbacks, monitor for the /mifs/403.jsp path on EPMM instances, and block PROSPERO's autonomous system (AS200593) at the network perimeter level.

Timeline

  1. 12.02.2026 09:32 2 articles · 15h ago

    83% of Ivanti EPMM Exploits Linked to Single IP on Bulletproof Hosting

    83% of Ivanti EPMM exploitation attempts originated from a single IP address (193.24.123[.]42) on bulletproof hosting infrastructure offered by PROSPERO. GreyNoise recorded 417 exploitation sessions from 8 unique source IP addresses between February 1 and 9, 2026. The same IP address exploited three other CVEs across unrelated software, indicating the use of automated tooling. 85% of the exploitation sessions beaconed home via DNS to confirm target exploitability without deploying malware or exfiltrating data. PROSPERO is linked to another autonomous system called Proton66, which has a history of distributing desktop and Android malware. Defused Cyber reported a "sleeper shell" campaign that deployed a dormant in-memory Java class loader to compromised EPMM instances, indicative of initial access broker tradecraft. Organizations are advised to apply patches, audit internet-facing MDM infrastructure, review DNS logs for OAST-pattern callbacks, monitor for the /mifs/403.jsp path on EPMM instances, and block PROSPERO's autonomous system (AS200593) at the network perimeter level. The IP address linked to the exploitation attempts was still active as of February 12, 2026.

    Show sources
    Open in new tab
  2. 30.01.2026 00:07 6 articles · 14d ago

    New Ivanti EPMM Vulnerabilities Exploited in Zero-Day Attacks

    The vulnerabilities affect EPMM versions 12.5.0.0 and prior, 12.6.0.0 and prior, and 12.7.0.0 and prior (Fixed in RPM 12.x.0.x), and EPMM 12.5.1.0 and prior and 12.6.1.0 and prior (Fixed in RPM 12.x.1.x). The RPM patch does not survive a version upgrade and must be reapplied if the appliance is upgraded to a new version. The vulnerabilities affect the In-House Application Distribution and the Android File Transfer Configuration features and do not affect other products, including Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), or Ivanti Sentry. Successful exploitation of the EPMM appliance will enable arbitrary code execution on the appliance and allow lateral movement to the connected environment. EPMM contains sensitive information about devices managed by the appliance. Legitimate use of the capabilities will result in 200 HTTP response codes in the Apache Access Log, whereas successful or attempted exploitation will cause 404 HTTP response codes. Customers are advised to review EPMM administrators for new or recently changed administrators, authentication configuration, new push applications for mobile devices, configuration changes to applications, new or recently modified policies, and network configuration changes. In the event of compromise, users are advised to restore the EPMM device from a known good backup or build a replacement EPMM and then migrate data to the device. After restoring, users should reset the password of any local EPMM accounts, reset the password for the LDAP and/or KDC service accounts, revoke and replace the public certificate used for EPMM, and reset the password for any other internal or external service accounts configured with the EPMM solution. The Dutch Data Protection Authority (AP) and the Council for the Judiciary confirmed that their systems were impacted by cyber attacks exploiting Ivanti EPMM vulnerabilities. Work-related data of AP employees, including names, business email addresses, and telephone numbers, were accessed by unauthorized persons. The European Commission identified traces of a cyber attack that may have resulted in access to names and mobile numbers of some of its staff members. Finland's state information and communications technology provider, Valtori, disclosed a breach that exposed work-related details of up to 50,000 government employees. The attacker gained access to information used in operating the service, including names, work email addresses, phone numbers, and device details. Investigations showed that the management system did not permanently delete removed data but only marked it as deleted, potentially compromising device and user data belonging to all organizations that have used the service during its lifecycle. The European Commission's central infrastructure managing mobile devices discovered signs of a breach on January 30, 2026, which may have resulted in access to staff names and mobile numbers. The Dutch justice and security secretary confirmed that the Council for the Judiciary (Rvdr) and the Dutch Data Protection Authority (AP) were breached, with unauthorized access to work-related data of AP employees, including names, business email addresses, and telephone numbers. Finnish government ICT center Valtori discovered a breach on January 30, 2026, affecting its mobile device management service, potentially exposing details of up to 50,000 government workers. Ivanti released patches for two critical (CVSS 9.8) zero-day bugs in EPMM on January 29, 2026, noting that a very limited number of customers had been exploited at the time of disclosure. CVE-2026-1281 and CVE-2026-1340 are code injection flaws that could allow attackers to achieve unauthenticated remote code execution. A significant chunk of the exploitation attempts targeting a newly disclosed security flaw in Ivanti Endpoint Manager Mobile (EPMM) can be traced back to a single IP address on bulletproof hosting infrastructure offered by PROSPERO. GreyNoise recorded 417 exploitation sessions from 8 unique source IP addresses between February 1 and 9, 2026, with 83% originating from 193.24.123[.]42. The same IP address exploited three other CVEs across unrelated software, indicating the use of automated tooling. 85% of the exploitation sessions beaconed home via DNS to confirm target exploitability without deploying malware or exfiltrating data. PROSPERO is linked to another autonomous system called Proton66, which has a history of distributing desktop and Android malware. Defused Cyber reported a "sleeper shell" campaign that deployed a dormant in-memory Java class loader to compromised EPMM instances, indicative of initial access broker tradecraft. Organizations are advised to apply patches, audit internet-facing MDM infrastructure, review DNS logs for OAST-pattern callbacks, monitor for the /mifs/403.jsp path on EPMM instances, and block PROSPERO's autonomous system (AS200593) at the network perimeter level. The European Commission's central infrastructure managing mobile devices was breached on January 30, 2026, resulting in the compromise of staff names and mobile numbers. Valtori, the public managed services provider for Finland's government, was breached on January 30, 2026, affecting around 50,000 individuals associated with the central government. The Dutch Data Protection Authority (AP) and the Council for the Judiciary confirmed breaches on February 6, 2026, naming Ivanti EPMM as the culprit. Shadowserver tracked a voluminous wave of attempted attacks concentrated around February 9, 2026, with 83% of exploitation attempts traced to a single IP address on bulletproof hosting infrastructure offered by PROSPERO. The IP address linked to the exploitation attempts was still active as of February 12, 2026.

    Show sources
    Open in new tab
  3. 19.09.2025 07:10 3 articles · 4mo ago

    Malware Deployment Following Exploitation of Ivanti EPMM Vulnerabilities

    The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0 and their earlier releases. The malware sets include distinct loaders with the same name, and malicious listeners that allow injecting and running arbitrary code on the compromised system. The threat actor targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests and used the ?format= parameter to send malicious remote commands. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. CISA provided detailed indicators of compromise (IOCs), YARA rules, and a SIGMA rule to help organizations detect such attacks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

European Commission Investigates Breach in Mobile Device Management Platform

The European Commission is investigating a breach in its mobile device management platform, which may have exposed staff personal information. The attack was detected on January 30, 2026, and contained within 9 hours. The breach is linked to vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software, similar to recent attacks on Dutch institutions. The compromised data includes names, phone numbers, and business email addresses of staff members. The Commission's response included cleaning the system, but no compromise of mobile devices was detected. The incident follows the Commission's proposal of new cybersecurity legislation to strengthen defenses against state-backed and cybercrime groups.

Open in new tab

China-Linked APTs Deploy PeckBirdy JScript C2 Framework Since 2023

China-aligned APT actors have been using the PeckBirdy JScript-based command-and-control (C2) framework since 2023 to target Chinese gambling industries, Asian government entities, and private organizations. The framework leverages living-off-the-land binaries (LOLBins) for execution across various environments. Two campaigns, SHADOW-VOID-044 and SHADOW-EARTH-045, have been identified, each employing different tactics, including credential harvesting and malware delivery. The framework's flexibility allows it to operate across web browsers, MSHTA, WScript, Classic ASP, Node JS, and .NET, using multiple communication methods like WebSocket and Adobe Flash ActiveX objects. Additional scripts for exploitation, social engineering, and backdoor delivery have been observed, along with links to known backdoors like HOLODONUT and MKDOOR. HOLODONUT disables security features such as AMSI before executing payloads in memory, while MKDOOR disguises its network traffic as legitimate Microsoft support or activation pages and attempts to evade Microsoft Defender by altering exclusion settings. Infrastructure overlaps and shared tooling suggest SHADOW-VOID-044 is linked with UNC3569, a China-aligned group previously associated with the GRAYRABBIT backdoor. Some samples used stolen code-signing certificates to legitimize malicious Cobalt Strike payloads, and SHADOW-EARTH-045 showed weaker but notable ties to activity previously attributed to Earth Baxia. The Shadow-Void-044 campaign used stolen code-signing certificates, Cobalt Strike payloads, and exploits, including CVE-2020-16040, to maintain persistent access. The Shadow-Earth-045 campaign targeted a Philippine educational institution in July 2024, using the GrayRabbit backdoor and the HoloDonut backdoor. The threat actor behind the Shadow-Earth campaign developed a .NET executable to launch PeckBirdy with ScriptControl.

Open in new tab

CVE-2024-37079 in VMware vCenter Exploited in the Wild

CVE-2024-37079, a critical heap overflow flaw in VMware vCenter Server, is being actively exploited in the wild. The vulnerability, patched in June 2024, allows remote code execution via a specially crafted network packet. Broadcom confirmed the active exploitation and advised customers to apply security patches immediately. CISA added the flaw to its KEV catalog, mandating FCEB agencies to secure their systems by February 13, 2026, under BOD 22-01. There are no known workarounds or mitigations, emphasizing the urgency of applying the latest patches.

Open in new tab

PDFSIDER Malware Facilitates Long-Term, Covert System Access

Researchers have identified a new malware strain, PDFSIDER, designed for long-term, covert access to compromised systems. Delivered via DLL side-loading, it installs an encrypted backdoor and evades endpoint detection mechanisms. The malware exhibits advanced capabilities, including stealthy execution, secure communications, and anti-analysis checks, aligning it with APT operations. The infection chain begins with spear-phishing emails containing a ZIP archive with a legitimate, digitally signed executable that impersonates PDF creation software. Once active, PDFSIDER initializes networking components, gathers host details, and establishes an encrypted command-and-control (C2) channel using AES-256-GCM encryption. The malware includes anti-VM checks to detect analysis environments and exits early if thresholds are not met. It also employs DNS traffic on port 53 for data exfiltration to a leased VPS infrastructure. Resecurity assessed PDFSIDER as a targeted tradecraft rather than a mass-delivered threat, with most artifacts evading popular AV and EDR products. PDFSIDER has been deployed in Qilin ransomware attacks and is actively used by multiple ransomware actors. The malware loads into memory, leaving minimal disk artifacts, and uses anonymous pipes to launch commands via CMD. Infected hosts are assigned a unique identifier, and system information is exfiltrated to the attacker’s VPS server over DNS (port 53). The malware uses the Botan 3.0.0 cryptographic library and AES-256-GCM for encryption, decrypting incoming data in memory to minimize its footprint on the host.

Open in new tab

Critical RCE Flaw in Trend Micro Apex Central On-Prem Windows

Trend Micro has addressed critical vulnerabilities in on-premise Windows versions of Apex Central, including a remote code execution (RCE) flaw (CVE-2025-69258) with a CVSS score of 9.8. The flaw allows unauthenticated remote attackers to execute arbitrary code under SYSTEM context. Two additional flaws (CVE-2025-69259, CVE-2025-69260) with CVSS scores of 7.5 each can cause denial-of-service conditions. The vulnerabilities affect versions below Build 7190 and require physical or remote access to exploit. Apex Central is a web-based management console that helps admins manage multiple Trend Micro products and services, including antivirus, content security, and threat detection. Trend Micro has released Critical Patch Build 7190 to address these vulnerabilities.

Open in new tab