'Ongoing' Ivanti hijack bug exploitation reaches clouds
(2025/05/21)
- Reference: 1747790829
- News link: https://www.theregister.co.uk/2025/05/21/ivanti_rce_attacks_ongoing/
- Source link:
The "ongoing exploitation" of two Ivanti bugs has now extended beyond on-premises environments and hit customers' cloud instances, according to security shop Wiz.
CVE-2025-4427 is an authenticated bypass vulnerability and CVE-2025-4428 is a post-authentication remote-code execution (RCE) flaw. Together they allow a miscreant to run malware on a vulnerable deployment and hijack it. Both holes affect Ivanti Endpoint Manager Mobile (EPMM), which is used to manage company-issued devices and applications and secure access to sensitive corporate data.
There are at least a couple proof-of-concept (POC) exploits on the loose for these holes, so if you haven't already: [1]Patch now .
[2]
Ivanti [3]disclosed the bugs and issued patches for both last week, warning in the [4]security alert it was "aware of a very limited number of customers" whose products had been exploited. "The issue only affects the on-prem EPMM product," the vendor said in a subsequent [5]advisory .
[6]
[7]
The flaws involve some unnamed open source libraries used in its product, according to a statement an Ivanti spokesperson emailed The Register Tuesday:
Ivanti has released a fix for vulnerabilities associated with open-source libraries used in our on-premise Endpoint Manager Mobile products. We are actively working with our security partners and the maintainers of the libraries to determine if a CVE against the libraries is warranted. We remain committed to collaboration and transparency with our stakeholders and the broader security ecosystem.
At the time of disclosure, we are aware of a very limited number of on-premise EPMM customers whose solution has been exploited.
Wiz, on the other hand, asserts the exploitation extends into customers' cloud environments.
"Wiz Research has observed ongoing exploitation of these vulnerabilities in-the-wild targeting exposed and vulnerable EPMM instances in cloud environments since May 16," the cloud security firm's bug hunters Merav Bar, Shahar Dorfman, and Gili Tikochinski [8]wrote Tuesday.
While we don't know who is behind the attacks, in at least once instance the miscreants used their ill-gotten access to deploy a remote-control program called Sliver within victims' cloud environments, we're told. Sliver is a favorite of all types of baddies, from [9]Chinese and Russian government goons to [10]ransomware gangs , because it ensures long-term total access to the compromised system for future snooping, ransomware deployment, credential stealing campaigns, and many other illicit activities.
[11]
On Monday, the US govt's Cybersecurity and Infrastructure Security Agency (CISA) added both bugs to its [12]Known Exploited Vulnerabilities Catalog .
While neither CVE-2025-4427 nor CVE-2025-442 is considered critical on their own, receiving CVSS severity scores of 5.3 (medium) and 7.2 (high) out of 10, respectively, "in combination they should certainly be treated as critical," according to the Wiz kids.
The [13]soon-to-be-Google-owned security shop said the attacks coincide with the emergence of POCs including those published by [14]watchTowr and [15]ProjectDiscovery on May 15.
About those open-source libraries
Wiz also indicates that the unnamed open-source libraries involved the insecure processing of Java Expression Language, and Spring.
We're told CVE-2025-4428 stems from the unsafe use of Java Expression Language in error messages. "It arises from the unsafe handling of user-supplied input within error messages processed via Spring's AbstractMessageSource, which allows attacker-controlled EL (Expression Language) injection," the researchers wrote.
[16]
Meanwhile, CVE-2025-4427, according to Wiz, is caused by improper request handling in EPMM's route configuration:
Routes like /rs/api/v2/featureusage were unintentionally exposed without requiring authentication due to missing intercept-url rules in Spring Security configurations. This allows unauthenticated access to the RCE sink, enabling full pre-auth RCE when chained with CVE-2025-4428.
The security researchers say they spotted "multiple malicious payloads" being deployed post exploitation, including the Sliver code mentioned earlier.
This remote-control tool used 77.221.157[.]154 as its command-and-control server, which is significant because Wiz spotted this same IP address being used to attack similar flaws in [17]exposed Palo Alto Networks' appliances in the fall. That [18]didn't end well for buggy PAN-OS kits.
[19]Ivanti patches two zero-days under active attack as intel agency warns customers
[20]1,000s of Palo Alto Networks firewalls hijacked as miscreants exploit critical hole
[21]Freshly discovered bug in OpenPGP.js undermines whole point of encrypted comms
[22]Virgin Media O2 patches hole that let callers snoop on your coordinates
According to the bug hunters, the IP address is still in operation and its TLS certificate hasn't changed since November 2024. "This continuity leads us to conclude that the same actor has been opportunistically targeting both PAN-OS and Ivanti EPMM appliances," the Wiz kids wrote.
The Register asked Ivanti for more information about the scope of exploitation, the open-source libraries linked to the security flaws, and if the bugs affect cloud-based products. We will update this story if the software maker responds to our questions. ®
Get our [23]Tech Resources
[1] https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aC1P3mpvd-6awguK-FYWlgAAAks&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2025/05/14/ivanti_patches_two_zerodays_and/
[4] https://www.ivanti.com/blog/epmm-security-update
[5] https://www.ivanti.com/blog/epmm-security-update
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aC1P3mpvd-6awguK-FYWlgAAAks&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aC1P3mpvd-6awguK-FYWlgAAAks&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.wiz.io/blog/ivanti-epmm-rce-vulnerability-chain-cve-2025-4427-cve-2025-4428
[9] https://www.theregister.com/2025/04/15/chinese_spies_backdoored_us_orgs/
[10] https://www.theregister.com/2024/02/14/bumblebee_malware_back/e
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aC1P3mpvd-6awguK-FYWlgAAAks&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[13] https://www.theregister.com/2025/04/09/google_enterprise_security_ambitions/
[14] https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/
[15] https://projectdiscovery.io/blog/ivanti-remote-code-execution
[16] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aC1P3mpvd-6awguK-FYWlgAAAks&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[17] https://www.wiz.io/blog/cve-2024-0012-pan-os-vulnerability-exploited-in-the-wild
[18] https://www.theregister.com/2024/11/22/palo_alto_firewalls_under_exploit/
[19] https://www.theregister.com/2025/05/14/ivanti_patches_two_zerodays_and/
[20] https://www.theregister.com/2024/11/22/palo_alto_firewalls_under_exploit/
[21] https://www.theregister.com/2025/05/20/openpgp_js_flaw/
[22] https://www.theregister.com/2025/05/20/vmo2_fixes_4g_calling_issue/
[23] https://whitepapers.theregister.com/
CVE-2025-4427 is an authenticated bypass vulnerability and CVE-2025-4428 is a post-authentication remote-code execution (RCE) flaw. Together they allow a miscreant to run malware on a vulnerable deployment and hijack it. Both holes affect Ivanti Endpoint Manager Mobile (EPMM), which is used to manage company-issued devices and applications and secure access to sensitive corporate data.
There are at least a couple proof-of-concept (POC) exploits on the loose for these holes, so if you haven't already: [1]Patch now .
[2]
Ivanti [3]disclosed the bugs and issued patches for both last week, warning in the [4]security alert it was "aware of a very limited number of customers" whose products had been exploited. "The issue only affects the on-prem EPMM product," the vendor said in a subsequent [5]advisory .
[6]
[7]
The flaws involve some unnamed open source libraries used in its product, according to a statement an Ivanti spokesperson emailed The Register Tuesday:
Ivanti has released a fix for vulnerabilities associated with open-source libraries used in our on-premise Endpoint Manager Mobile products. We are actively working with our security partners and the maintainers of the libraries to determine if a CVE against the libraries is warranted. We remain committed to collaboration and transparency with our stakeholders and the broader security ecosystem.
At the time of disclosure, we are aware of a very limited number of on-premise EPMM customers whose solution has been exploited.
Wiz, on the other hand, asserts the exploitation extends into customers' cloud environments.
"Wiz Research has observed ongoing exploitation of these vulnerabilities in-the-wild targeting exposed and vulnerable EPMM instances in cloud environments since May 16," the cloud security firm's bug hunters Merav Bar, Shahar Dorfman, and Gili Tikochinski [8]wrote Tuesday.
While we don't know who is behind the attacks, in at least once instance the miscreants used their ill-gotten access to deploy a remote-control program called Sliver within victims' cloud environments, we're told. Sliver is a favorite of all types of baddies, from [9]Chinese and Russian government goons to [10]ransomware gangs , because it ensures long-term total access to the compromised system for future snooping, ransomware deployment, credential stealing campaigns, and many other illicit activities.
[11]
On Monday, the US govt's Cybersecurity and Infrastructure Security Agency (CISA) added both bugs to its [12]Known Exploited Vulnerabilities Catalog .
While neither CVE-2025-4427 nor CVE-2025-442 is considered critical on their own, receiving CVSS severity scores of 5.3 (medium) and 7.2 (high) out of 10, respectively, "in combination they should certainly be treated as critical," according to the Wiz kids.
The [13]soon-to-be-Google-owned security shop said the attacks coincide with the emergence of POCs including those published by [14]watchTowr and [15]ProjectDiscovery on May 15.
About those open-source libraries
Wiz also indicates that the unnamed open-source libraries involved the insecure processing of Java Expression Language, and Spring.
We're told CVE-2025-4428 stems from the unsafe use of Java Expression Language in error messages. "It arises from the unsafe handling of user-supplied input within error messages processed via Spring's AbstractMessageSource, which allows attacker-controlled EL (Expression Language) injection," the researchers wrote.
[16]
Meanwhile, CVE-2025-4427, according to Wiz, is caused by improper request handling in EPMM's route configuration:
Routes like /rs/api/v2/featureusage were unintentionally exposed without requiring authentication due to missing intercept-url rules in Spring Security configurations. This allows unauthenticated access to the RCE sink, enabling full pre-auth RCE when chained with CVE-2025-4428.
The security researchers say they spotted "multiple malicious payloads" being deployed post exploitation, including the Sliver code mentioned earlier.
This remote-control tool used 77.221.157[.]154 as its command-and-control server, which is significant because Wiz spotted this same IP address being used to attack similar flaws in [17]exposed Palo Alto Networks' appliances in the fall. That [18]didn't end well for buggy PAN-OS kits.
[19]Ivanti patches two zero-days under active attack as intel agency warns customers
[20]1,000s of Palo Alto Networks firewalls hijacked as miscreants exploit critical hole
[21]Freshly discovered bug in OpenPGP.js undermines whole point of encrypted comms
[22]Virgin Media O2 patches hole that let callers snoop on your coordinates
According to the bug hunters, the IP address is still in operation and its TLS certificate hasn't changed since November 2024. "This continuity leads us to conclude that the same actor has been opportunistically targeting both PAN-OS and Ivanti EPMM appliances," the Wiz kids wrote.
The Register asked Ivanti for more information about the scope of exploitation, the open-source libraries linked to the security flaws, and if the bugs affect cloud-based products. We will update this story if the software maker responds to our questions. ®
Get our [23]Tech Resources
[1] https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM?language=en_US
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aC1P3mpvd-6awguK-FYWlgAAAks&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://www.theregister.com/2025/05/14/ivanti_patches_two_zerodays_and/
[4] https://www.ivanti.com/blog/epmm-security-update
[5] https://www.ivanti.com/blog/epmm-security-update
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aC1P3mpvd-6awguK-FYWlgAAAks&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aC1P3mpvd-6awguK-FYWlgAAAks&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.wiz.io/blog/ivanti-epmm-rce-vulnerability-chain-cve-2025-4427-cve-2025-4428
[9] https://www.theregister.com/2025/04/15/chinese_spies_backdoored_us_orgs/
[10] https://www.theregister.com/2024/02/14/bumblebee_malware_back/e
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aC1P3mpvd-6awguK-FYWlgAAAks&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[13] https://www.theregister.com/2025/04/09/google_enterprise_security_ambitions/
[14] https://labs.watchtowr.com/expression-payloads-meet-mayhem-cve-2025-4427-and-cve-2025-4428/
[15] https://projectdiscovery.io/blog/ivanti-remote-code-execution
[16] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aC1P3mpvd-6awguK-FYWlgAAAks&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[17] https://www.wiz.io/blog/cve-2024-0012-pan-os-vulnerability-exploited-in-the-wild
[18] https://www.theregister.com/2024/11/22/palo_alto_firewalls_under_exploit/
[19] https://www.theregister.com/2025/05/14/ivanti_patches_two_zerodays_and/
[20] https://www.theregister.com/2024/11/22/palo_alto_firewalls_under_exploit/
[21] https://www.theregister.com/2025/05/20/openpgp_js_flaw/
[22] https://www.theregister.com/2025/05/20/vmo2_fixes_4g_calling_issue/
[23] https://whitepapers.theregister.com/