Chinese hackers are actively exploiting a critical remote code execution flaw in Ivanti Endpoint Manager Mobile to breach global organizations. These attacks, linked to the UNC5221 threat group, involve sophisticated techniques including espionage and data exfiltration. #CVE20254428 #UNC5221
Keypoints
- The vulnerability CVE-2025-4428 affects Ivanti EPMM versions 12.5.0.0 and earlier, enabling remote code execution.
- Threat actors, likely Chinese espionage groups, have exploited this flaw extensively since May 15, 2025.
- Targeted victims include healthcare institutions, government agencies, industrial firms, and financial organizations worldwide.
- The attackers used reconnaissance commands, dropped malware like KrystyLoader, and exfiltrated data through real-time HTTP requests.
- Rapid application of security patches is critical, as the attacks began just days after the flaw was publicly disclosed.