Malicious Listener Targeting Ivanti EPMM

Published Date: September 19, 2025
Category: ShadowOpsIntel
Share:

CISA’s Malware Analysis Report (MAR) details an active exploitation campaign targeting Ivanti Endpoint Manager Mobile (EPMM) systems through vulnerabilities CVE-2025-4427 and CVE-2025-4428. Threat actors deployed malicious listeners on compromised systems allowing for arbitrary code execution and persistent access, with malware leveraging Java class injection, encryption, and Base64 encoding to evade detection.

Severity: High

Threat Overview

1. Exploited Vulnerabilities

  • CVE-2025-4427 and CVE-2025-4428
  • These flaws were chained by attackers to gain unauthenticated access to vulnerable Ivanti EPMM servers and execute malicious payloads remotely. Public proof-of-concept (PoC) code accelerated exploitation.

2. Targeted Product Versions
Vulnerable versions include:

  • Ivanti EPMM — v11.12.0.4 and earlier; v12.3.0.1 and earlier; v12.4.0.1 and earlier; v12.5.0.0 and earlier (Patched as of May 13, 2025)

3. Malware Sets & Functionality

Set 1 (Loader 1 and Listener)

  • Loader: web-install.jar
  • Manager: ReflectUtil.class
  • Listener: SecurityHandlerWanListener.class

Behavior:

  • Injects a malicious listener into Apache Tomcat.
  • Intercepts HTTP requests with specific headers and encrypted payloads.
  • Decrypts Base64/AES payloads, dynamically loads new Java classes for remote code execution.

Set 2 (Alternate Loader and Listener)

  • Loader: web-install.jar
  • Listener: WebAndroidAppInstaller.class

Behavior:

  • Processes application/x-www-form-urlencoded HTTP requests.
  • Decrypts password parameter using AES with hardcoded key.
  • Dynamically creates, encrypts, and responds with malicious Java class output.

4. Delivery Mechanism

  • The malware was delivered in a segmented, stealthy manner to evade detection:
  • Threat actors split the malicious payloads (Loader 1 and Loader 2) into Base64-encoded chunks. Each chunk was delivered using separate HTTP GET requests to the vulnerable Ivanti EPMM API endpoint.
  • The requests abused Java Expression Language (EL) injection to: create or append to the file /tmp/web-install.jar, and decode Base64 data & write it to disk using Java reflection APIs.
  • This process was repeated for each chunk until the full malware payload was assembled.
  • Using this file append + Base64 decoding technique allowed the malware to: bypass size limits of single requests, evade static signature-based detection, and avoid triggering basic file integrity checks.

Recommendations

  1. Ensure Ivanti EPMM is running latest security updates.
  2. Treat mobile device management (MDM) systems as high-value assets (HVAs) with additional restrictions and monitoring.
  3. Restrict external access to Ivanti EPMM servers, especially to /mifs/rs/api/v2/ endpoints.
  4. Disable or restrict the use of Java Expression Language (EL) where not strictly needed.
  5. If compromise is detected:
    • If compromise is detected:
    • Isolate the affected system.
    • Collect volatile memory and full disk image for analysis.
    • Reimage compromised hosts.
    • Perform credential resets and key rotations across the network.
  6. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/c078a96f6fd14bcaa6d92e8539cb5f9cfef3fb7c572704770b6b1345fbb52c03/iocs

Source:

  • https://www.cisa.gov/news-events/analysis-reports/ar25-261a

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Talk to an expert