The U.S. Cybersecurity and Infrastructure Security Agency (CISA) detailed malware used in attacks exploiting vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). Threat actors, including a China-nexus espionage group, exploited these flaws before they were patched, leading to sophisticated data exfiltration and remote control activities. #CISA #IvantiEPMM #CVE-2025-4427 #CVE-2025-4428 #ChinaNexus
Keypoints
- The vulnerabilities in Ivanti EPMM include an authentication bypass and a code injection flaw.
- Threat actors exploited these vulnerabilities as zero days before Ivanti released patches on May 13.
- A China-linked espionage group was identified as leveraging these vulnerabilities for reconnaissance and data exfiltration.
- The malware involved used segmented HTTP GET requests and malicious Java classes to inject and execute code.
- CISA recommends immediate patching, system isolation, artifact review, and use of detection tools like YARA and SIGMA rules.