Ivanti EPMM loader and listener malware activity
Malware Activity
Summary
Hide ▲
Show ▼
A newly analyzed Ivanti Endpoint Manager Mobile (EPMM) malware set enabled arbitrary code execution and persistence on a compromised server, increasing the risk of follow-on access and data theft. The malware was tied to abuse of CVE-2025-4427 and CVE-2025-4428 as zero-days around May 15, 2025. It relied on loaders and malicious listeners such as web-install.jar, ReflectUtil.class, SecurityHandlerWanListener.class, and WebAndroidAppInstaller.class to intercept requests, decrypt payloads, and run code.
Related Happenings
ArcGIS SOE web shell and SoftEther VPN Bridge persistence analysis
Technical Analysis
First: 14.10.2025 15:28
Last: 14.10.2025 15:28
Sources 1
About this happening:
**ArcGIS** server extensions were turned into a stealthy web shell, enabling long-lived internal access and persistence beyond the portal. The intrusion matters because the operat...
ArcGIS SOE web shell and SoftEther VPN Bridge persistence analysis
Technical AnalysisAbout this happening: **ArcGIS** server extensions were turned into a stealthy web shell, enabling long-lived internal access and persistence beyond the portal. The intrusion matters because the operat...
Ivanti Endpoint Manager Mobile (EPMM) zero-day authentication bypass and RCE flaws (multiple vulnerabilities)
Vulnerability
First: 19.09.2025 07:10
Last: 19.09.2025 07:10
Sources 1
How related:
The vulnerabilities that were exploited in the attack include CVE-2025-4427 and CVE-2025-4428, both of which have been abused as zero-days prior to them being addressed by Ivanti in May 2025.
About this happening:
**CVE-2025-4427** and **CVE-2025-4428** in **Ivanti Endpoint Manager Mobile (EPMM)** were chained as **zero-days**, combining **authentication bypass** and **code injection** to e...
Ivanti Endpoint Manager Mobile (EPMM) zero-day authentication bypass and RCE flaws (multiple vulnerabilities)
VulnerabilityHow related: The vulnerabilities that were exploited in the attack include CVE-2025-4427 and CVE-2025-4428, both of which have been abused as zero-days prior to them being addressed by Ivanti in May 2025.
About this happening: **CVE-2025-4427** and **CVE-2025-4428** in **Ivanti Endpoint Manager Mobile (EPMM)** were chained as **zero-days**, combining **authentication bypass** and **code injection** to e...
Timeline
-
19.09.2025 07:10 1 articles · 8mo ago
Ivanti EPMM exploitation and malware drop on May 15, 2025
Exploitation ObservedThreat actors chained CVE-2025-4427 and CVE-2025-4428 against an Ivanti Endpoint Manager Mobile (EPMM) server in an unnamed organization's network around May 15, 2025, then ran commands to collect system information, download malicious files, list the root directory, map the network, execute scripts to create a heapdump, and dump LDAP credentials. The compromise also dropped two malware sets into /tmp: web-install.jar (Loader 1) with ReflectUtil.class and SecurityHandlerWanListener.class, and web-install.jar (Loader 2) with WebAndroidAppInstaller.class.
Show sources
- CISA Warns of Two Malware Strains Exploiting Ivanti EPMM CVE-2025-4427 and CVE-2025-4428 — thehackernews.com — 19.09.2025 07:10
-
19.09.2025 07:10 2 articles · 8mo ago
CISA discloses two malware sets in Ivanti EPMM compromise
Initial DisclosureCISA disclosed two malware sets found in an unnamed organization's network after exploitation of Ivanti Endpoint Manager Mobile (EPMM), warning that CVE-2025-4427 and CVE-2025-4428 had been abused as zero-days and chained for remote code execution. The analysis described loaders and malicious listeners that inject code in Apache Tomcat, intercept specific HTTP requests, decrypt payloads, and execute new classes to enable arbitrary code execution and persistence on the compromised server.
Show sources
- CISA Warns of Two Malware Strains Exploiting Ivanti EPMM CVE-2025-4427 and CVE-2025-4428 — thehackernews.com — 19.09.2025 07:10
- CISA Warns of Two Malware Strains Exploiting Ivanti EPMM CVE-2025-4427 and CVE-2025-4428 — thehackernews.com — 19.09.2025 07:10