CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Malware exploitation of Ivanti EPMM vulnerabilities CVE-2025-4427 and CVE-2025-4428

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

Two sets of malware have been discovered in an unnamed organization's network following the exploitation of vulnerabilities CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities were exploited around May 15, 2025, to gain access to the server running EPMM. This allowed attackers to execute arbitrary code, collect system information, download malicious files, and exfiltrate data. The malware sets included loaders that enabled persistence by injecting and running arbitrary code on the compromised server. The attacks leveraged two vulnerabilities: an authentication bypass (CVE-2025-4427) and a remote code execution flaw (CVE-2025-4428). The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0. The attackers targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests to send malicious remote commands. The malware sets included distinct loaders with the same name, and malicious listeners for injecting and running arbitrary code. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. CISA provided detailed indicators of compromise (IOCs), YARA rules, and a SIGMA rule to help organizations detect such attacks. CISA recommends patching affected Ivanti EPMM immediately and treating mobile device management (MDM) systems as high-value assets (HVAs).

Timeline

  1. 19.09.2025 07:10 πŸ“° 2 articles Β· ⏱ 14h ago

    Exploitation of Ivanti EPMM vulnerabilities CVE-2025-4427 and CVE-2025-4428

    The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0. The attackers targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests to send malicious remote commands. The malware sets included distinct loaders with the same name, and malicious listeners for injecting and running arbitrary code. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical deserialization vulnerability in Fortra GoAnywhere MFT

Fortra disclosed a critical deserialization vulnerability in GoAnywhere Managed File Transfer (MFT) software (CVE-2025-10035). This flaw, with a CVSS score of 10.0, allows arbitrary command execution through a forged license response signature. The vulnerability affects systems accessible over the internet and was patched in versions 7.8.4 and 7.6.3. Fortra has not confirmed exploitation in the wild, but similar vulnerabilities in the same product were previously exploited by ransomware actors. Users are advised to update to the patched versions immediately or restrict public access to the GoAnywhere Admin Console. Fortra discovered the vulnerability during a security check on September 11, 2025. The vulnerability was identified in the License Servlet of GoAnywhere MFT. Over 470 GoAnywhere MFT instances are being monitored by the Shadowserver Foundation.

Open in new tab

Subtle Snail APT Targets Global Telcos and Satellite Operators

Subtle Snail (UNC1549) has conducted a series of cyberattacks against 11 global telecommunications, satellite, and aerospace companies in recent weeks. The attacks, which occurred over a short period, targeted key personnel in these industries using highly customized phishing lures and malware. The primary goals appear to be data theft for research and development and call data records (CDRs) for espionage. The group has been active since at least June 2022, focusing on aerospace, defense, and telecommunications sectors. Their tactics include extensive background research on targets and the use of custom malware, particularly the MiniBike backdoor, which employs modular components to evade detection. The attacks have been observed across the Middle East, Europe, and North America, with victims including major companies serving millions of customers. The group is believed to be affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC).

Open in new tab

SystemBC Proxy Botnet Targets Vulnerable VPS Systems

The SystemBC proxy botnet operators are actively targeting vulnerable commercial virtual private servers (VPS) to maintain an average of 1,500 bots daily. These compromised servers, located globally, are used to route malicious traffic and hide command-and-control (C2) activities, making detection more challenging. SystemBC has been operational since at least 2019 and is utilized by various threat actors, including ransomware gangs. The botnet's infrastructure includes over 80 C2 servers and supports multiple criminal proxy networks. The operators do not prioritize stealth, leading to long infection lifetimes and extensive exploitation of unpatched vulnerabilities. The botnet's primary use includes brute-forcing WordPress credentials and providing high-volume, stable traffic for malicious activities. The REM Proxy network is powered by SystemBC, offering about 80% of the botnet to its users. It also markets a pool of 20,000 Mikrotik routers and various open proxies. The botnet targets both Windows and Linux systems, with the Linux variant designed for corporate networks, cloud servers, and IoT devices. Nearly 80% of SystemBC's daily victims are compromised VPS systems from large commercial providers, with close to 40% having extremely long infection lifespans. Each victim has 20 unpatched CVEs and at least one critical CVE on average.

Open in new tab

FileFix Attack Using Steganography to Deploy StealC Infostealer

A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future. The FileFix attack involves a fake Cloudflare Turnstile verification page that redirects users to a Windows File Explorer search query. The attack uses a Windows shortcut LNK file disguised as a PDF to initiate the infection chain. The LNK file downloads a legitimate AnyDesk installer and a malicious MSI package that installs MetaStealer. The MSI package contains a DLL and a CAB archive with malicious files, including a MetaStealer dropper. The MetaStealer dropper is protected with Private EXE Protector and is designed to steal cryptocurrency wallets. The attack leverages the Windows search protocol to redirect users to an attacker-controlled SMB share. The FileFix attack has evolved to include a more sophisticated infection chain that bypasses traditional detection methods. The attack uses a multi-stage process involving Windows File Explorer, a fake PDF lure, and an MSI package to deploy MetaStealer. The FileFix attack has been observed to use a combination of social engineering and advanced technical techniques to evade detection.

Open in new tab

CISA Defunding and Dismantling Affects Cybersecurity Response

The Cybersecurity and Infrastructure Security Agency (CISA) is being defunded and dismantled, jeopardizing the timely identification and mitigation of cyber vulnerabilities. This development leaves organizations more vulnerable to zero-day exploits and delays in response times. CISA's role in coordinating vulnerability information and providing detailed advisories is crucial for accelerating the discovery and resolution of security issues. CISA's partnership with the Center for Internet Security has ended, and over a hundred employees have been laid off. The Common Vulnerabilities and Exposures (CVE) program, funded through CISA, was extended but faces an uncertain future. The Cybersecurity Information Sharing Act of 2015 is up for renewal, with no clear indication of its future. The defunding and dismantling of CISA will increase the risk of exploitation for businesses and their customers, as organizations will have to rely on their own resources or public disclosures to identify vulnerabilities. This delay can leave systems exposed to attacks for longer periods.

Open in new tab