- CISA warns the attackers chained to CVE-2025-4427 and CVE-2025-4428 to violate the Ivanti EPMM systems
- The malware was delivered through the injection of it and was rebuilt from useful loads coded based64
- CISA did not confirm the attribution; The reports suggest a possible Chinese orientation of the Australian entity
The Cybersecurity and Infrastructure Security Agency of the USA (CISA) warns organizations about two paveled Ivanti failures that are chained in real -life attacks.
In a new security notice, CISA said it was invested in cybercriminals using CVE-2025-4427 and CVE-2025-4428, both that affect the mobile solutions (EPMM) of Ivanti, EPMM), to obtain initial access.
The first is an authentication bypass in the API component of EPMM 12.5.0.0 and previous, allowing attackers to access protected resources without appropriate credentials through the API. He was given a gravity score of 7.5/10 (high) and was repaired in May 2025. The latter, on the other hand, is an error of remote code (RCE) in the EPMM API component, allowing the unauthorized attackers to execute arbitrary code through API applications designed. It was given a gravity score of 8.8/10 (high) and set approximately at the same time.
Fall of malware
Cisa said the attackers used these two defects in a chain to release two malware games.
The first includes components that inject a malicious listener in Apache Tomcat, which allows them to intercept specific HTTP requests and execute the arbitrary Java code. The second malware set works in a similar way, but uses a different class to process the password parameters encoded in HTTP applications.
Both sets were delivered using the injection of the Java Expression Language (El) through HTTP GET requests, the researchers explained. The useful charges were coded based64 and were written to temporary directories in parts, and then rebuilt. In this way, the attackers could evade be detected by traditional security tools.
Cisa did not discuss the attribution, so, officially, we do not know who the threat actors were or the victims in this attack. The registrationHowever, he cited previous reports that this could have been the work of an attacker sponsored by the Chinese State pursued in Australia.
Through The registration
