- The CISA warns the attackers tampered with by the CVE-2025-4427 and the CVE-2025-4428 to violate the Ivanti EPMM systems
- The malicious software has been delivered via EL injection and rebuilt from useful loads of basic basic basic coded
- The CISA has not confirmed the allocation; The reports suggest a possible Chinese targeting of the Australian entity
The American Cybersecurity and Infrastructure Safety Agency (CISA) warns organizations of two corrected Ivanti defects in real attacks.
In a new security notice, the CISA said it had been overthrown on cybercriminals using CVE-2025-4427 and CVE-2025-4428-affecting both of Ivanti (EPMM) mobile solutions (EPMM) to obtain initial access.
The first is an authentication bypass in the API component of EPMM 12.5.0.0 and Prior, which allows attackers to access protected resources without appropriate references via the API. He received a gravity score of 7.5 / 10 (high) and was corrected in May 2025. The latter, on the other hand, is a distant code execution bug (RCE) in the API component of EPMM, allowing non -authenticated attackers to execute arbitrary code via designed API requests. He received a severity score of 8.8 / 10 (high) and was fixed at about the same time.
Drop malicious software
Cisa said the attackers used these two flaws in a chain to drop two malware sets.
The first includes components that inject a malicious listener in Apache Tomcat, allowing them to intercept specific HTTP requests and execute arbitrary java code. The second set of malware works in a similar way, but uses a different class to treat coded password settings in HTTP requests.
The two sets were delivered using Java expression language injection (EL) via GET HTTP requests, the researchers said. The useful charges were coded in base64 and written in temporary directories in parts, then rebuilt. In this way, the attackers were able to escape being detected by traditional security tools.
The CISA has not discussed any attribution, therefore officially, we do not know who the actors of the threat or the victims were in this attack. The registerHowever, the previous reports cited that this could have been the work of an attacker sponsored by the Chinese state which proceeds to an organization in Australia.
Via The register
