The Cybersecurity and Infrastructure Security Agency (CISA) on Sept. 18 issued a malware analysis report on two sets of malicious code from an organization compromised by threat actors exploiting two bugs in the Ivanti Endpoint Manager Mobile (EPMM) tool.CISA said the malware exploited two CVEs – CVE-2025-4427 and CVE-2025-4428. After exploitation, the malware let the threat actors inject and run arbitrary code on the compromised server.Lawrence Pingree, technical evangelist at Dispersive Holdings, said malware that’s instrumented to target specific vulnerabilities in centralized endpoint management solutions like these Ivanti tools is incredibly important to defend against."Isolating and microsegmenting sensitive systems like this is essential. Patching rapidly, ideally with an automated process, is essential in defending against vulnerabilities,” said Pingree.Certis Foster, senior threat hunter lead at Deepwatch, said the hackers essentially exploited two critical vulnerabilities in Ivanti's mobile device management system to install a hidden backdoor. Foster said they bypassed authentication, injected malicious code through the API, and planted persistent "listeners" that could execute commands, steal credentials, and maintain access even after detection.Here's what Foster said security teams should do:
- Upgrade Ivanti EPMM systems to the latest version.
- Use the CISA detection rules to search for IOCs in /tmp directories and /mifs/rs/api/v2/ endpoint activity.
- Treat the MDM systems as crown jewels going forward with enhanced monitoring/segmentation since they house thousands of devices.
- If compromised, quarantine the impacted systems and capture forensic images before reimaging if possible.
