The US Cybersecurity and Infrastructure Security Agency (CISA) released details on two malware discovered in the network of unknown organizations following the exploitation of security flaws in Ivanti Endpoint Manager Mobile (EPMM).
“Each set includes loaders for malicious listeners that allow cyberthreat actors to execute arbitrary code on compromised servers,” CISA said in a warning.
Vulnerabilities exploited in the attack include CVE-2025-4427 and CVE-2025-4428. Both were abused as zero-day before being addressed by Ivanti in May 2025.
CVE-2025-4427 is about authentication bypassing that allows attackers to access protected resources, while CVE-2025-4428 allows remote code execution. As a result, two flaws can be chained together to execute arbitrary code on vulnerable devices without authentication.
According to the CISA, the threat actor combed two vulnerabilities around May 15, 2025, and accessed a server running EPMM following the publication of a proof of concept (POC) exploit.
This allowed the attacker to collect system information, download malicious files, and execute commands that allowed him to run lists of root directories, maps of the network, and scripts to create Heapdump.
Further analysis determined that the cyberthreat actor had dropped two sets of malicious files into the “/TMP” directory, each enabling persistence by injecting and running arbitrary code into the compromised server.
Set 1 -web -install.jar (aka loader 1), Reflectutil.class, and securityhandlerwanlistener.class set 2 -web -install.jar (aka loader 2) and webandroidappinstaller.class
Specifically, both sets contain loaders that invoke malicious Java class listeners that intercept specific HTTP requests and handle them to decode and decode the payload for subsequent execution.
“Reflectutil.class manipulates Java objects to inject and manage malicious listener SecurityHandlerWanListener into Apache Tomcat,” says Cisa. “[SecurityHandlerWanListener.class] A malicious listener that intercepts specific HTTP requests, processes them, and handles them to decode and decode payloads that dynamically create and execute new classes. ”
On the other hand, WeBandroidAppInstaller.class works differently by using hardcoded keys to retrieve and decrypt password parameters from requests. Its contents are used to define and implement new classes. The execution of the new class then results in a response being encrypted using the same hardcoded key and generated with the encrypted output.
The end result is that an attacker can inject and execute arbitrary code into the server, removing data by intercepting and processing HTTP requests, as well as enabling subsequent activity and persistence.
To remain protected against these attacks, organizations recommend updating instances to the latest version, monitoring for signs of suspicious activity, and implementing the necessary restrictions to prevent unauthorized access to mobile device management (MDM) systems.
Source link
