Close Menu
TechurzTechurz
    What's Hot

    Startup Battlefield Australia application closes in days: Apply before July 6

    June 30, 2026

    Acti puts AI agents directly into your smartphone keyboard

    June 30, 2026

    The DeepMind trio who built a poker AI are now making money for quant hedge funds

    June 30, 2026
    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    Tech Pulse
    • Startup Battlefield Australia application closes in days: Apply before July 6
    • Acti puts AI agents directly into your smartphone keyboard
    • The DeepMind trio who built a poker AI are now making money for quant hedge funds
    • Nvidia competitor Etched hits $5B valuation, $1B in sales for AI chip
    • Clicks shows off its BlackBerry-inspired phone in a new hands-on video
    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    TechurzTechurz
    • Home
    • Tech Pulse
    • Future Tech
    • AI Systems
    • Cyber Reality
    • Disruption Lab
    • Signals
    TechurzTechurz
    Home - Cyber Reality - CISA Warns of Two Malware Strains Exploiting Ivanti EPMM CVE-2025-4427 and CVE-2025-4428
    Cyber Reality

    CISA Warns of Two Malware Strains Exploiting Ivanti EPMM CVE-2025-4427 and CVE-2025-4428

    TechurzBy TechurzSeptember 19, 2025Updated:May 10, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    CISA Warns of Two Malware Strains Exploiting Ivanti EPMM CVE-2025-4427 and CVE-2025-4428
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Sep 19, 2025Ravie LakshmananData Breach / Vulnerability

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of two sets of malware that were discovered in an unnamed organization’s network following the exploitation of security flaws in Ivanti Endpoint Manager Mobile (EPMM).

    “Each set contains loaders for malicious listeners that enable cyber threat actors to run arbitrary code on the compromised server,” CISA said in an alert.

    The vulnerabilities that were exploited in the attack include CVE-2025-4427 and CVE-2025-4428, both of which have been abused as zero-days prior to them being addressed by Ivanti in May 2025.

    While CVE-2025-4427 concerns an authentication bypass that allows attackers to access protected resources, CVE-2025-4428 enables remote code execution. As a result, the two flaws could be chained to execute arbitrary code on a vulnerable device without authentication.

    According to CISA, the threat actors gained access to server running EPMM by combing the two vulnerabilities around May 15, 2025, following the publication of a proof-of-concept (PoC) exploit.

    This permitted the attackers to run commands that made it possible to collect system information, download malicious files, list the root directory, map the network, execute scripts to create a heapdump, and dump Lightweight Directory Access Protocol (LDAP) credentials, the agency added.

    Further analysis determined that the cyber threat actors dropped two sets of malicious files to the “/tmp” directory, each of which enabled persistence by injecting and running arbitrary code on the compromised server:

    • Set 1 – web-install.jar (aka Loader 1), ReflectUtil.class, and SecurityHandlerWanListener.class
    • Set 2 – web-install.jar (aka Loader 2) and WebAndroidAppInstaller.class

    Specifically, both sets contain a loader which launches a malicious compiled Java class listener that intercepts specific HTTP requests and processes them to decode and decrypt payloads for subsequent execution.

    “ReflectUtil.class manipulates Java objects to inject and manage the malicious listener SecurityHandlerWanListener in Apache Tomcat,” CISA said. “[SecurityHandlerWanListener.class] is a malicious listener that intercepts specific HTTP requests and processes them to decode and decrypt payloads, which dynamically create and execute a new class.”

    WebAndroidAppInstaller.class, on the other hand, works differently by retrieving and decrypting a password parameter from the request using a hard-coded key, the contents of which are used to define and implement a new class. The result of the execution of the new class is then encrypted using the same hard-coded key and generates a response with the encrypted output.

    The end result is that it allows the attackers to inject and execute arbitrary code on the server, enabling follow-on activity and persistence, as well as exfiltrate data by intercepting and processing HTTP requests.

    To stay protected against these attacks, organizations are advised to update their instances to the latest version, monitor for signs of suspicious activity, and implement necessary restrictions to prevent unauthorized access to mobile device management (MDM) systems.

    CISA CVE20254427 CVE20254428 EPMM exploiting Ivanti malware Strains warns
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleJensen Huang Wants You to Know He’s Getting a Lot Out of the ‘Fantastic’ Nvidia-Intel Deal
    Next Article Therapists Feeling Inadequate When Comparing Themselves To AI That Performs Therapy
    Techurz
    • Website

    Related Posts

    Cyber Reality

    Digital Identity Protection: 7 Hidden Risks Most Users Miss

    May 25, 2026
    Cyber Reality

    Neural Data Policy: 7 Risks That Brain Privacy Laws Miss

    May 25, 2026
    Cyber Reality

    How AI Changing Cyber Crime: 7 Critical Shifts to Watch

    May 25, 2026
    Add A Comment
    Latest Tech Pulse

    College social app Fizz expands into grocery delivery

    September 3, 20252,290

    SolarSquare in talks to raise up to $60M as India’s rooftop solar market draws major VC interest

    May 23, 202622

    Future of Digital Privacy and Security: 7 Truths Nobody Tells You

    May 25, 202619
    Stay In Touch
    • YouTube
    • WhatsApp
    • Twitter
    • Pinterest
    • LinkedIn

    Techurz helps readers stay ahead of digital change with clear, practical, future focused technology intelligence written today,searched tomorrow.

    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    Company
    • About Us
    • Contact Us
    • Our Authors / Editorial Team
    • Write For Us
    • Advertise
    Policy
    • Editorial Policy
    • Privacy Policy
    • Terms and Conditions
    • Affiliate Disclosure
    • Cookie Policy
    • Disclaimer
    • DMCA
    Explore
    • AI Systems
    • Cyber Reality
    • Future Tech
    • Disruption Lab
    • Signals
    • Tech Pulse
    • Sitemap

    Join the Techurz Brief

    The future does not arrive suddenly.
    Stay ahead with fast, sharp tech signals.

    Type above and press Enter to search. Press Esc to cancel.