Chinese cyber spies are using Ivanti EPMM flaws to breach EU, US organizations

CVE-2025-4427 and CVE-2025-4428 – the two Ivanti Endpoint Manager Mobile (EPMM) vulnerabilities that have been exploited in the wild as zero-days and patched by Ivanti last week – are being leveraged by a Chinese cyber espionage group that has been exploiting zero-days in edge network appliances since at least 2023, EcleticIQ researchers have shared.

Among the entities targeted in this campaign were:

• a local government authority and healthcare organizations in the UK;
• a research institute, a legal firm, a telco and a manufacturer in Germany;
• an aerospace leasing company in Ireland;
• a healthcare provider, a medical device manufacturer, a firearms manufacturer, and even a cybersecurity firm specializing in mobile threat defense and enterprise device security in the US;
• a multinational bank operating in South Korea;
• a Japanese automotive parts supplier.

The attack campaign

By chaining together the two vulnerabilities, the attackers could achieve remote code execution on internet-exposed Ivanti EPMM deployments without having to authenticate themselves first.

They set up a reverse shell on the compromised systems, deployed KrustyLoader malware downloaded from publicly accessible Amazon AWS S3 buckets, the Sliver backdoor/implant, and an open-source reverse proxy tool.

They also managed to extract data from the Ivanti EPMM databases: data related to the managed mobile devices (IMEI, phone numbers, location, etc.), LDAP users, and Office 365 refresh and access tokens.

EclecticIQ does not mention whether the compromised instances were deployed by the organizations on-premises or in their cloud environment, but judging by some overlapping indicators of compromise, Wiz researchers have spotted the same activities by the same Chinese threat actor, which is tracked as UNC5221.

“We can confirm that the incident we found was on cloud hosted virtual appliances and not an on-prem device. This doesn’t mean that the attacker explicitly targeted cloud environments – from an outside network perspective it is hard to differentiate the two deployment options – but it does mean that both cloud and on-prem customers are at risk,” Gili Tikochinski, researcher at Wiz, told Help Net Security.

EclecticIQ researchers say that UNC5221 demonstrated a deep understanding of EPMM’s internal architecture by repurposing legitimate system components for data exfiltration.

“Given EPMM’s role in managing and pushing configurations to enterprise mobile devices, a successful exploitation could allow threat actors to remotely access, manipulate, or compromise thousands of managed devices across an organization,” they added.

Also, one of the IP addresses associated with these attacks points to UNC5221 also being the ones that exploited vulnerable SAP NetWeaver installations earlier this month.

Patch and search for evidence of compromise

Organizations using Ivanti EPMM should upgrade their instances to one of the following fixed versions: 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1.

The company also pointed out that if they apply the patch see a 400 response in their logs, it does not indicate exploitation.

They did not share any indicators of compromise, but both Wiz and EclecticIQ have, so organizations can look for them.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!