A recently patched pair of security flaws affecting Ivanti Endpoint Manager Mobile (EPMM) software has been exploited by a China-nexus threat actor to target a wide range of sectors across Europe, North America, and the Asia-Pacific region.
The vulnerabilities, tracked as CVE-2025-4427 (CVSS score: 5.3) and CVE-2025-4428 (CVSS score: 7.2), could be chained to execute arbitrary code on a vulnerable device without requiring any authentication. They were addressed by Ivanti last week.
Now, according to a report from EclecticIQ, the vulnerability chain has been abused by UNC5221, a Chinese cyber espionage group known for its targeting of edge network appliances since at least 2023. Most recently, the hacking crew was also attributed to exploitation efforts targeting SAP NetWeaver instances susceptible to CVE-2025-31324.
The Dutch cybersecurity company said the earliest exploitation activity dates back to May 15, 2025, with the attacks targeting healthcare, telecommunications, aviation, municipal government, finance, and defense sectors.
“UNC5221 demonstrates a deep understanding of EPMM’s internal architecture, repurposing legitimate system components for covert data exfiltration,” security researcher Arda Büyükkaya said. “Given EPMM’s role in managing and pushing configurations to enterprise mobile devices, a successful exploitation could allow threat actors to remotely access, manipulate, or compromise thousands of managed devices across an organization.”
The attack sequence involves targeting the “/mifs/rs/api/v2/” endpoint to obtain an interactive reverse shell and remotely execute arbitrary commands on Ivanti EPMM deployments. This is followed by the deployment of KrustyLoader, a known Rust-based loader attributed to UNC5221 that enables the delivery of additional payloads like Sliver.
The threat actors have also been observed targeting the mifs database by making use of hard-coded MySQL database credentials stored in /mi/files/system/.mifpp to obtain unauthorized access to the database and exfiltrating sensitive data that could grant them visibility into managed mobile devices, LDAP users, and Office 365 refresh and access tokens.
Furthermore, the incidents are characterized by the use of obfuscated shell commands for host reconnaissance before dropping KrustyLoader from an AWS S3 bucket and Fast Reverse Proxy (FRP) to facilitate network reconnaissance and lateral movement. It’s worth mentioning here that FRP is an open-source tool widely shared among Chinese hacking groups.
EclecticIQ said it also identified a command-and-control (C2) server associated with Auto-Color, a Linux backdoor that was documented by Palo Alto Networks Unit 42 as used in attacks aimed at universities and government organizations in North America and Asia between November and December 2024.
“The IP address 146.70.87[.]67:45020, previously associated with Auto-Color command-and-control infrastructure, was seen issuing outbound connectivity tests via curl immediately after exploitation of Ivanti EPMM servers,” Büyükkaya pointed out. “This behaviour is consistent with Auto-Color’s staging and beaconing patterns. Taken together, these indicators very likely link to China-nexus activity.”
The disclosure comes as threat intelligence firm GreyNoise noted that it had witnessed a significant spike in scanning activity targeting Ivanti Connect Secure and Pulse Secure products prior to the disclosure of CVE-2025-4427 and CVE-2025-4428.
“While the scanning we observed was not directly tied to EPMM, the timeline underscores a critical reality: scanning activity often precedes the public emergence of zero-day vulnerabilities,” the company said. “It’s a leading indicator — a signal that attackers are probing critical systems, potentially in preparation for future exploitation.”
