CISA has released detailed information about malware used in attacks exploiting vulnerabilities in Ivanti Endpoint Manager Mobile, linked to Chinese threat actors UNC5221. This malware allowed attackers to execute remote commands, deploy malicious files, and maintain persistence on compromised servers. #IvantiEPMM #UNC5221
Keypoints
- The vulnerabilities CVE-2025-4427 and CVE-2025-4428 were exploited in recent attacks on Ivanti EPMM.
- Threat actors used chained bugs to gain unauthenticated remote code execution on targeted servers.
- Malware sets deployed included loaders and malicious listeners to enable arbitrary code execution and persistence.
- The malware used segmentation techniques to evade signature-based detection and size limitations.
- CISA recommends updating Ivanti EPMM to patched versions and enhancing monitoring and restrictions on MDM systems.
Read More: https://www.securityweek.com/cisa-analyzes-malware-from-ivanti-epmm-intrusions/