Ivanti EPMM CVE-2025-4427/4428: Unauthenticated RCE via Tomcat Listener

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has analyzed malicious “listener” malware actively deployed against Ivanti Endpoint Manager Mobile (EPMM) servers following public proof-of-concept exploit code for CVE-2025-4427 and CVE-2025-4428, and the resulting toolset allows attackers to deliver, reconstruct, and reflectively load Java components that install HTTP-based backdoors inside Tomcat—providing unauthenticated remote code execution, persistence, and data exfiltration capability. (rapid7.com)

Background / Overview​

Ivanti Endpoint Manager Mobile (EPMM), historically known as MobileIron, is a mobile device management (MDM) platform used by enterprises to configure, monitor, and control large numbers of mobile endpoints. In May 2025, two related vulnerabilities were disclosed: CVE‑2025‑4427 (authentication bypass via EL injection in certain API endpoints) and CVE‑2025‑4428 (a code-injection / RCE-style flaw). When chained together the two allow unauthenticated attackers to push and execute code on EPMM servers. Multiple government and industry teams—including NVD, CISA, Rapid7, ProjectDiscovery, and national CERTs—confirmed active exploitation and urged immediate remediation. (nvd.nist.gov)
CISA’s malware analysis (published as an MAR) examined two distinct sets of malicious artifacts the attackers wrote to /tmp on compromised systems. Each set contained a small JAR “loader” and a companion compiled Java class that becomes a malicious servlet listener inside Apache Tomcat. The listeners intercept specific HTTP requests and can decode, decrypt, define and execute arbitrary Java classes—effectively giving remote, unauthenticated execution under the webapp’s JVM.
Why this matters: MDM systems are high-value assets—they have elevated privileges and broad reach into endpoint fleets. A compromised EPMM instance can be a direct path to device compromise, credential harvesting, lateral movement and supply-chain-scale impact. National CERTs and government cyber centers advised urgent updates and incident response. (cyber.gc.ca)

---

The malware, at a glance​

Two sets, similar goals​

• Set 1: Loader JAR (named web-install.jar in the wild), a manager class ReflectUtil.class, and the listener SecurityHandlerWanListener.class. Loader 1 contains an embedded class that decodes a Base64+gzip blob to produce SecurityHandlerWanListener and then uses reflective ClassLoader APIs to insert it into Tomcat’s listener list.
• Set 2: A smaller loader JAR (also called web-install.jar in samples) plus WebAndroidAppInstaller.class, a listener that pulls an AES-encrypted payload from the HTTP request, decrypts it with a hard-coded key, defines and executes a new class, then encrypts and returns execution output.

Both approaches achieve the same operational result: a malicious HTTP listener inside Tomcat that can accept specially-crafted requests and load/execute attacker-supplied Java bytecode. The payloads were transferred in multiple Base64 chunks via the vulnerable EPMM API endpoint and reconstructed in /tmp using Java EL injection and file append operations. This technique avoids single large uploads, evades simple signature and size-based detection, and bypasses certain transfer size limits.

Key technical details verified independently​

• Affected EPMM versions (vulnerable builds): 11.12.0.4 and prior, 12.3.0.1 and prior, 12.4.0.1 and prior, and 12.5.0.0 and prior; Ivanti released patches on May 13, 2025 addressing the flaws. This version list and patch guidance is confirmed in multiple advisories and telemetry reports. (censys.com)
• CISA added both CVEs to its Known Exploited Vulnerabilities (KEV) catalog on May 19, 2025, which placed a near-term mitigation obligation on federal agencies and raised urgency across the ecosystem. (censys.com)
• Public exploit / proof-of-concept code was published shortly after disclosure; the existence of PoC materially increased exploitation risk and is cited by Rapid7, ProjectDiscovery and others. (rapid7.com)

---

Anatomy of the attack​

Delivery and reconstruction​

• Attackers send multiple HTTP GET requests to the EPMM API path (e.g., /mifs/rs/api/v2/featureusage?format=...) using Java Expression Language (EL) injection.
• Each request contains a Base64-encoded chunk which the injected EL expression decodes and writes into a file opened in append mode (e.g., /tmp/web-install.jar).
• After multiple chunks the full JAR is reconstructed on-disk in /tmp. This chunked delivery technique provides defense-evasion and bypasses some transfer constraints.

Reflective loader + Tomcat listener install​

• Loader 1 decodes an embedded Base64+gzip class and uses ClassLoader.defineClass to load SecurityHandlerWanListener.
• ReflectUtil.class enumerates Tomcat listeners, appends the loaded listener, and updates the application context so the listener becomes active.
• The listener checks for a secret string and specific Referer header (the samples used the string pass 7c6a8867d728c3bb and Referer [url="https://www.live.com"]Outlook[/url])—only then it will accept encoded commands as the request body.
• Commands in the request body are Base64-decoded, AES-decrypted (with a session key stored in the session object), translated into bytecode and defined as a new class; the listener then invokes that class’ methods to execute arbitrary logic.

Alternative listener (Set 2)​

• WebAndroidAppInstaller.class reads a password parameter from form-encoded requests, Base64-decodes it, AES-decrypts with a hard-coded key (3c6e0b8a9c15224a in observed sample), uses it to drive class definition/execution, computes MD5 digests of the password + key for quick request validation, and responds with the first 16 characters of the MD5 followed by the Base64-encoded, AES-encrypted execution output. This grants a compact request/response protocol for remote command execution and result retrieval.

---

Verified impact and observed behavior​

• Arbitrary remote code execution inside Tomcat: Attackers can load Java classes and execute them in the webapp JVM context—enabling system interaction through the Java runtime (getRuntime.exec, file I/O, JDBC, LDAP/AD access).
• Persistence: The attacker-installed listener persists inside the running Tomcat process and survives simple service restarts unless the webapp context or the Tomcat listener configuration is restored.
• Credential harvesting: Reports detail attempts to dump LDAP credentials and gather system identity information via the same API vectors. Rapid7 and other analysts observed both discovery and post-exploitation steps in the wild. (rapid7.com)
• Data exfiltration: The listeners provide request/response channels that can return arbitrary outputs to the attacker, including file contents or command execution results.

Note on scope: while CISA’s analysis and multiple vendors confirmed limited exploitation at disclosure, the public PoC materially increased the risk of widespread abuse; post-disclosure scanning (e.g., Censys, Rapid7 telemetry) found internet-exposed EPMM instances that could be targeted. These figures change over time and are tied to active scanning results; they should be treated as time-bound telemetry rather than static counts. (censys.com)

---

Detection and hunting — practical guidance​

Security teams should prioritize detection across the following telemetry sources:

• Web server / Tomcat access logs
• Look for unusual GET requests to /mifs/rs/api/v2/* containing suspicious EL payloads, repeated format= parameters, or Base64-like strings.
• Look for requests containing the observed secret strings and Referer values used by the listeners (samples used 7c6a8867d728c3bb and Referer [url="https://www.live.com"]Outlook[/url])—these are strong indicators in known samples but may be changed by actors.
• Filesystem indicators
• Presence of /tmp/web-install.jar or other JARs and unexpected .class files inside Tomcat work directories or under Catalina/localhost/[I]/org/apache/jsp/[/I].
• File hashes from CISA’s sample set (SHA256 fingerprints included in their MAR) should be added to EDR/AV and file-integrity monitoring policies.
• Process/Runtime behavior
• Java processes that call ClassLoader.defineClass, getDecoder().decode, gzip decompression routines, or use sun.misc.BASE64Decoder in server contexts where they were not expected.
• Outbound connections to known C2 IPs observed in sampling and network logs; the SIGMA rule and YARA rules included in CISA’s materials can be used as part of alerts.
• Network and SIEM rules
• Deploy the published SIGMA/YARA rules if available in your environment; tune them for false positive reduction. CISA published both YARA and SIGMA examples for Loader 1, ReflectUtil.class, SecurityHandlerWanListener.class, Loader 2, and WebAndroidAppInstaller.class—these are high-confidence detections for the specific malware family.
• IOC ingestion
• Import CISA-provided IOCs / STIX bundles into your threat intelligence platform and EDR. CISA provided downloadable STIX/JSON containing hashes, strings, and behaviors for the analyzed samples.

---

Incident response checklist (prioritized)​

• Isolate: Immediately isolate potentially compromised EPMM servers (network segmentation / firewall block) to stop ongoing exfiltration or command-and-control.
• Preserve: Collect memory snapshots and full forensic disk images from suspected hosts; preserve Tomcat logs, access logs, and /tmp artifacts.
• Hunt & Triage:
• Search for the YARA/SIGMA matches and the IOCs in the STIX bundle.
• Correlate web access logs for suspicious API calls that match chunked EL-injection patterns.
• Contain:
• If compromise is confirmed, revoke Ivanti admin credentials, rotate API keys, and disable external management access until remediation.
• If access appears limited, re-provision credentials; if extensive, follow full containment and remediation playbooks.
• Clean / Rebuild:
• Where compromise is confirmed, reimage affected appliances rather than attempting in-place cleans; Tomcat-level persistence through listeners can be difficult to fully purge.
• Report:
• Report incidents to CISA (if in scope) and to vendor support; CISA requested victims to submit artifacts and engage their incident response teams for coordinated analysis.

Rapid7, CISA and national CERTs all recommended a conservative posture: treat EPMM compromises as severe and pursue full rebuilds / reimages where compromise is confirmed. (rapid7.com)

---

Mitigations and immediate actions​

• PATCH NOW: Apply Ivanti’s May 13, 2025 fixes (upgrade to versions 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1 or later) as the principal mitigation. Multiple national CERTs and security vendors list these specific target builds as the remediated releases. (projectdiscovery.io)
• Network hardening:
• Limit access to EPMM management interfaces to known IPs and management networks using firewall rules and VPN-only access.
• Block EPMM from initiating outbound traffic that is not required for operations (reduce C2 channel opportunities).
• Protect secrets:
• Rotate any secrets, certificates and service account credentials if an instance may be compromised.
• Treat MDM as an HVA:
• Apply high-value asset protections: enhanced monitoring, stricter change-control, limited admin scope, and multi-party approval for changes.
• Elevate logging & hunts:
• Increase log retention and centralize Tomcat / EPMM logs into a SIEM to run the published SIGMA rule and custom hunts for EL-injection patterns.
• Post-patch integrity checks:
• Run vendor-provided integrity tools and file-hash checks; many incident responses for similar Ivanti compromises relied on vendor integrity checkers to detect tampering. (rapid7.com)

---

Strengths and limitations of the CISA analysis (critical review)​

Strengths​

• High-utility, actionable artifacts: CISA’s report includes file hashes, YARA rules and a SIGMA detection rule—these are directly usable for detection and EDR rule creation. The step-by-step description of loader-to-listener behavior allows defenders to craft targeted hunts and host-based detections.
• Behavioral detail: The MAR explains the EL-injection delivery mechanism, Base64 chunking and the precise reflective loading flow inside Java/Tomcat—this operational granularity helps defenders model likely tactics and containment strategies.
• Cross-community corroboration: Independent coverage and technical writeups (ProjectDiscovery, Rapid7, Qualys, and national CERTs) align with the MAR’s diagnosis and confirm active exploitation and the presence of PoC code, increasing confidence in CISA’s findings. (projectdiscovery.io)

Limitations / Risks to note​

• Single-sample bias: The MAR centers on five observed files from one compromised organization. Attackers often create variants quickly; detection that relies solely on those file hashes or exact string patterns can be evaded by small changes (different hard-coded keys, changed header checks, altered filenames). Defenders must therefore prioritize behavioral detections and anomaly hunts rather than only static hashes.
• Attribution and scope: The MAR appropriately avoids attribution and does not enumerate the full scope of affected tenants. External scanners have found exposed instances, but counts and IP lists are transient and incomplete; defenders must assume broader exposure until networks show otherwise. (censys.com)
• Public PoC increases risk: Multiple vendors observed public PoC publishings shortly after disclosure; that materially increases opportunistic exploitation and makes rapid patching and detection urgent. (rapid7.com)

Flagged unverifiable claims: any numerical claims about the total number of successfully compromised organizations or the number of actively infected hosts at any moment should be treated as time-limited telemetry—they may be accurate at the time of scanning but quickly change, so treat them as indicators, not definitive counts. (censys.com)

---

Operational recommendations (for WindowsForum readership / sysadmins)​

• Treat all on-premises MDM / EMM systems (including Ivanti EPMM) as high-value, high-risk infrastructure: limit access, monitor continuously, and apply the principle of least privilege for administrative accounts.
• If you run EPMM and haven’t yet patched to the remediated builds, schedule immediate maintenance windows to update, and apply temporary network ACLs that prevent external access to EPMM management ports.
• In mature EDR/SIEM environments, implement hybrid detection:
• Static: ingest CISA hashes and YARA rules.
• Behavioral: detect EL injection-like request patterns, use web log parsers to surface requests with long Base64 payloads in GET/format arguments, and flag suspicious file writes to /tmp or Tomcat work directories by the JVM user.
• If a compromise is suspected, preserve evidence and involve forensic/incident response professionals; Ivanti and CISA offered incident submission channels and forensic guidance when these vulnerabilities were active in the wild. (rapid7.com)

---

Conclusion​

The Ivanti EPMM chain of CVE‑2025‑4427 and CVE‑2025‑4428 changed a theoretical EL-injection and code-injection weakness into an operational foothold for attackers by enabling reflective Java loading and servlet listener insertion in Tomcat. CISA’s malware analysis provides concrete artifacts and detection content that defenders should immediately deploy; independent vendor analyses and national CERT advisories corroborate the danger and the patching guidance. Rapid, prioritized patching of Ivanti EPMM instances, treating MDM as a high-value asset, deploying the provided YARA/SIGMA detections, and conducting thorough hunts for the described delivery patterns are the most pragmatic steps an organization can take today to reduce risk.

---

(Technical appendix: the CISA MAR contains full YARA rules, a SIGMA detection template, and a downloadable STIX IOC bundle for immediate integration with EDR and SIEM systems; defenders should import those artifacts directly into their tooling and tune them for their environment. )

---

Source: CISA https://www.cisa.gov/news-events/analysis-reports/ar25-261a/