Overview

• The agency describes exploitation of CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (remote code execution) chained for unauthenticated control of on‑premises EPMM before Ivanti’s May 13 fixes.
• Investigators say access occurred around May 15 after a public PoC, with commands issued via the /mifs/rs/api/v2/ endpoint to run reconnaissance, map the network, create a heapdump, and dump LDAP credentials.
• Attackers dropped two malware sets to /tmp: Set 1 included web-install.jar, ReflectUtil.class, and SecurityHandlerWanListener.class; Set 2 included web-install.jar and WebAndroidAppInstaller.class.
• Malicious listeners intercepted specific HTTP requests to decode or decrypt payloads and dynamically create classes for arbitrary code execution, persistence, and potential data exfiltration, with loaders delivered in Base64 segments over separate HTTP GETs to evade detection.
• CISA released IoCs plus YARA and SIGMA rules, urged immediate upgrades to fixed EPMM versions (11.12.0.5, 12.3.0.2, 12.4.0.2, 12.5.0.1 or newer), advised isolating affected hosts and preserving forensics, and noted private China‑nexus reporting without making attribution.