""Each set contains loaders for malicious listeners that enable cyber threat actors to run arbitrary code on the compromised server," CISA said in an alert. The vulnerabilities that were exploited in the attack include CVE-2025-4427 and CVE-2025-4428, both of which have been abused as zero-days prior to them being addressed by Ivanti in May 2025. While CVE-2025-4427 concerns an authentication bypass that allows attackers to access protected resources, CVE-2025-4428 enables remote code execution."
"According to CISA, the threat actors gained access to server running EPMM by combing the two vulnerabilities around May 15, 2025, following the publication of a proof-of-concept (PoC) exploit. This permitted the attackers to run commands that made it possible to collect system information, download malicious files, list the root directory, map the network, execute scripts to create a heapdump, and dump Lightweight Directory Access Protocol (LDAP) credentials, the agency added."
Two sets of malware were discovered in an unnamed organization's network after exploitation of Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities CVE-2025-4427 and CVE-2025-4428. The flaws allowed an authentication bypass and remote code execution, enabling attackers to chain them to run arbitrary code without authentication. Threat actors gained access around May 15, 2025 after a proof-of-concept exploit's publication. Attackers executed commands to collect system information, download malicious files, list the root directory, map the network, create a heapdump and exfiltrate LDAP credentials. Two sets of malicious files were dropped to /tmp, each containing a Java loader that launches a listener to process HTTP requests, decode and decrypt payloads, and execute arbitrary code to maintain persistence.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]