The Reveal Platform
Intel Name: Malicious listener for ivanti endpoint mobile management systems
Date of Scan: September 19, 2025
Impact: High
Summary: Cyber threat actors exploited Ivanti EPMM systems by chaining two vulnerabilities—CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (code injection)—to gain initial access. Around May 15, 2025, they targeted the /mifs/rs/api/v2/ endpoint using crafted HTTP GET requests and the ?format= parameter to execute remote commands. These allowed them to collect system data, download files, map networks, extract LDAP credentials, and more. CISA recovered and analyzed two sets of malware from the /tmp directory, designed to maintain persistence and enable arbitrary code execution on the compromised EPMM servers.
