"An unknown attacker has abused a couple of flaws in Ivanti Endpoint Manager Mobile (EPMM) and deployed two sets of malware against an unnamed organization, according to the US Cybersecurity and Infrastructure Security Agency. While CISA doesn't attribute this compromise to a particular group, both of these flaws, CVE-2025-4427 and CVE-2025-4428, were exploited as zero-days before Ivanti disclosed and patched them on May 13."
"According to CISA's analysis, the malware set 1 consists of three malicious files: web-install.jar, ReflectUtil.class, and SecurityHandlerWanListener.class. Set 2 contains web-install.jar and WebAndroidAppInstaller.class. After being dropped on a victim machine, the first loader loads ReflectUtil.class, which injects and manages the malicious listener - SecurityHandlerWanListener in Apache Tomcat. This snoopy software "intercepts specific HTTP requests and processes them to decode and decrypt payloads, creating a new class that cyber threat actors can execute t"
An unknown attacker exploited Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities and deployed two malware sets against an unnamed organization. CVE-2025-4427 is an authentication bypass vulnerability and CVE-2025-4428 is a post-authentication remote code execution flaw. Both vulnerabilities were exploited as zero-days before patches were released on May 13 and can be chained to hijack vulnerable deployments. An intrusion around May 15 occurred after a proof-of-concept exploit became available, allowing access to an EPMM server. Both malware sets include loaders for malicious listeners that enable arbitrary code execution on compromised servers. Malware set 1 includes web-install.jar, ReflectUtil.class, and SecurityHandlerWanListener.class; set 2 includes web-install.jar and WebAndroidAppInstaller.class.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]