top of page
Search

CISA Details Malware from Ivanti EPMM Zero-Day Exploits That Dumped Credentials

  • Lemina
  • Sep 19
  • 2 min read

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an alert Thursday describing two distinct sets of malware found in an unnamed organization after threat actors exploited security flaws in Ivanti Endpoint Manager Mobile (EPMM).

Ivanti EPMM Malware Alert
Ivanti EPMM Malware Alert

CISA said each malware set contained loaders for malicious listeners that let attackers run arbitrary code on the compromised server and maintain persistence.


🔓 Vulnerabilities and Timeline

The intrusions chained two critical vulnerabilities — CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (remote code execution) — both of which were exploited as zero-days before Ivanti patched them in May 2025. According to CISA, attackers began using a published proof-of-concept exploit around May 15, 2025, to gain access to an EPMM server.


Once inside, operators executed commands to collect system information, download files, enumerate the root directory, map the network, create heapdumps, run scripts and dump LDAP credentials, CISA reported.


🗂️ Malware Details: Two Malicious Sets

CISA’s analysis found attackers dropped two groups of files into the /tmp directory. Each group included a loader (web-install.jar) that launched a compiled Java listener to intercept specially crafted HTTP requests, decode/decrypt payloads, and execute them dynamically.


  • Set 1: web-install.jar (Loader 1), ReflectUtil.class, SecurityHandlerWanListener.class

    • ReflectUtil.class manipulates Java objects to inject and manage a malicious listener in Apache Tomcat.

    • SecurityHandlerWanListener.class intercepts HTTP requests, decodes/decrypts payloads and dynamically creates and executes new classes.

  • Set 2: web-install.jar (Loader 2), WebAndroidAppInstaller.class

    • WebAndroidAppInstaller.class extracts and decrypts a password parameter from requests using a hard-coded key, builds a new class from that data, runs it, then encrypts the execution result with the same key and returns the output.


⚠️ Why This Matters

The attack demonstrates a classic, high-impact chain: remotely exploitable flaws → unauthenticated code execution → persistent malicious listeners → credential theft and lateral-movement capability. Organizations running Ivanti EPMM should assume high risk if patches were not applied promptly and verify logs and file system artifacts (notably /tmp drops and suspicious Java class loaders).

CISA’s notice provides actionable IoCs and behavior descriptions to help defenders hunt for similar activity and mitigate impacted systems.

Comments

bottom of page