The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of two sets of malware that were discovered in an unnamed organization’s network following the exploitation of security flaws in Ivanti Endpoint Manager Mobile (EPMM).
“Each set contains loaders for malicious listeners that enable cyber threat actors to run arbitrary code on the compromised server,” CISA said in an alert.
The vulnerabilities that were exploited in the attack include CVE-2025-4427 and CVE-2025-4428, both of which have been abused as zero-days prior to them being addressed by Ivanti in May 2025.
While CVE-2025-4427 concerns an authentication bypass that allows attackers to access protected resources, CVE-2025-4428 enables remote code execution. As a result, the two flaws could be chained to execute arbitrary code on a vulnerable device without authentication.
According to CISA, the threat actors gained access to server running EPMM by combing the two vulnerabilities around May 15, 2025, following the publication of a proof-of-concept (PoC) exploit.
This permitted the attackers to run commands that made it possible to collect system information, download malicious files, list the root directory, map the network, execute scripts to create a heapdump, and dump Lightweight Directory Access Protocol (LDAP) credentials, the agency added.
Further analysis determined that the cyber threat actors dropped two sets of malicious files to the “/tmp” directory, each of which enabled persistence by injecting and running arbitrary code on the compromised server:
- Set 1 – web-install.jar (aka Loader 1), ReflectUtil.class, and SecurityHandlerWanListener.class
- Set 2 – web-install.jar (aka Loader 2) and WebAndroidAppInstaller.class
Specifically, both sets contain a loader which launches a malicious compiled Java class listener that intercepts specific HTTP requests and processes them to decode and decrypt payloads for subsequent execution.
“ReflectUtil.class manipulates Java objects to inject and manage the malicious listener SecurityHandlerWanListener in Apache Tomcat,” CISA said. “[SecurityHandlerWanListener.class] malicious listener that intercepts specific HTTP requests and processes them to decode and decrypt payloads, which dynamically create and execute a new class.”
WebAndroidAppInstaller.class, on the other hand, works differently by retrieving and decrypting a password parameter from the request using a hard-coded key, the contents of which are used to define and implement a new class. The result of the execution of the new class is then encrypted using the same hard-coded key and generates a response with the encrypted output.
The end result is that it allows the attackers to inject and execute arbitrary code on the server, enabling follow-on activity and persistence, as well as exfiltrate data by intercepting and processing HTTP requests.
To stay protected against these attacks, organizations are advised to update their instances to the latest version, monitor for signs of suspicious activity, and implement necessary restrictions to prevent unauthorized access to mobile device management (MDM) systems.
