Cyberdudebivash

Executive Summary

• Two serious vulnerabilities (CVE-2025-4427 & CVE-2025-4428) in Ivanti Endpoint Manager Mobile (EPMM) have been added to CISA’s Known Exploited Vulnerabilities Catalog, due to evidence these are being used in active attacks. CISA+4CISA+4CISA+4
• CVE-2025-4427 is an authentication bypass (allows unauthenticated access to protected API resources). Tenable®+2NVD+2
• CVE-2025-4428 is remote code execution (RCE) via API component; can be chained with 4427 to allow RCE without authentication. CISA+3Tenable®+3CISA+3
• Affected versions include Ivanti EPMM 11.12.0.4 and earlier, 12.3.0.1 and earlier, 12.4.0.1 and earlier, 12.5.0.0 and earlier. CISA+1
• Ivanti released patches on May 13, 2025. Update to fixed versions (11.12.0.5, 12.3.0.2, 12.4.0.2, 12.5.0.1) as soon as possible. Tenable®+1

---

Technical Details & Attack Mechanics

Vulnerability Types & Causes

• CVE-2025-4427 (Auth Bypass): Via insecure handling of certain API endpoints. Attackers can call protected API paths without valid credentials. CWE-288. NVD+2threatprotect.qualys.com+2
• CVE-2025-4428 (Code Injection / RCE): Attackers sending crafted API requests with unsanitized input (e.g. via template or expression injection) that leads to execution of arbitrary code. CWE-94 / EL injection. threatprotect.qualys.com+2CISA+2

Exploitation Flow (observed in the wild)

• Attackers use API endpoints, specifically GET /mifs/rs/api/v2/ with ?format= parameter (or other similar) to inject commands remotely. CISA
• The malicious actors chain both vulnerabilities: bypass auth (4427), then use RCE (4428) to upload or execute code. Tenable®+1
• They deposit loaders and malicious listener components (Java . jar, .class files) in /tmp directory. These allow persistent code execution. CISA

Detected Malware / Payloads

• Two sets of malicious files (“Set 1” and “Set 2”) including web-install.jar, ReflectUtil.class, SecurityHandlerWanListener.class (Set 1) and WebAndroidAppInstaller.class (Set 2). These load listeners that process HTTP requests (injected payloads). CISA
• Persistence via Tomcat listener shells, ability to list root, map network, dump credentials (LDAP etc). CISA

---

Detection & Indicators of Compromise (IoCs)

Key IoCs (adapt to your environment):

• Access logs showing HTTP GET requests to /mifs/rs/api/v2/ endpoints with parameters like format= suspicious. CISA
• Files in /tmp such as web-install.jar, ReflectUtil.class, SecurityHandlerWanListener.class, WebAndroidAppInstaller.class CISA
• Listener behaviour in Apache Tomcat: injected classes handling HTTP requests for executing code. CISA
• Unusual API access from unauthenticated sources (no valid credentials) to normally protected EPMM API endpoints.
• Download behavior: using curl, wget, or similar via endpoints; unusual process execution.
• File writes / code injection into class files; suspicious jar files loaded dynamically.
• Network egress connections from the compromised EPMM servers to cloud storage / external C2 endpoints.

Detection Rules / Hunting:

• SIGMA / YARA rules published by CISA for this specific malware. CISA+1
• SIEM queries like:index=webserver_logs OR index=tomcat_access | where uri_path matches "/mifs/rs/api/v2/*" AND query contains "format=" | stats count by src_ip, dest_host, uri_path | where count > threshold
• Monitor file system for .jar or .class files appearing under /tmp or unexpected directories.
• Monitor process execution logs (Tomcat, Java) for new listeners being loaded at runtime with class injection.

---

Impact & Risk

• Because these are MDM / EMM systems, compromise gives adversary control over endpoints, mobile devices, maybe applications/content delivered via EPMM.
• With RCE, full server compromise, persistence, credential theft, lateral movement.
• Attackers could deploy further malware, exfiltrate data, tamper with managed devices.
• Because these versions were widespread, many organizations exposed until patched.

---

Mitigations & Recommended Actions

Immediate / Critical Fixes

1. Patch immediately to fixed EPMM versions:
   • 11.12.0.5
   • 12.3.0.2
   • 12.4.0.2
   • 12.5.0.1 Tenable®+1
2. Restrict external API exposure — block or firewall EPMM API endpoints so they are not publicly accessible.
3. Use Web Application Firewall (WAF) or API Gateway to filter out or block suspicious patterns (e.g., ?format= parameter injection, suspicious class or .jar uploads).

Medium Term

• Treat EPMM servers as High-Value Assets: enhanced logging, monitoring, least privilege, network segmentation. CISA+1
• Review all user accounts, service accounts, tokens used by EPMM; rotate if suspected compromised.
• Limit administrative interfaces to trusted networks only; enforce strong authentication (MFA, IP restrictions).

Long Term / Strategic

• Implement behavior-based detection on EPMM servers: detect unusual class loading, listener insertion, reflective calls.
• Continuous vulnerability scanning and patch management for all components.
• Periodic threat hunting of EPMM logs (access, API, filesystem, process execution).
• Use SIEM/WAF rule sets (like CISA’s SIGMA / YARA) to catch suspicious indicators.

---

Threat Hunting & SOC Playbook

• Query for web server logs / Tomcat access: unauthorized API calls.
• Monitor for creation or modification of .jar or .class in temp or unusual directories.
• Process creation monitoring: look for JVM / Java process loading new classes, invoking ReflectUtil, or loading listener classes.
• Monitor outbound connections to cloud storage (.jar/.ELF), S3 buckets, etc.
• File integrity monitoring for EPMM install directory.

---

Governance, Compliance & Communication

• For regulated sectors, notify stakeholders (IT, security, legal) of exposure.
• If breach suspected, collect logs, memory dumps, forensics immediately.
• Document patches and vulnerability management updates.

---

#CyberDudeBivash #IvantiEPMM #CVE2025-4427 #CVE2025-4428 #RemoteCodeExecution #AuthenticationBypass #ThreatIntel #IncidentResponse #MDM #SecurityAdvisory