Malicious Listener for Ivanti Endpoint Mobile Management Systems

    Friday, September 19, 2025 In: Threat Research Print

    Date: 09/19/2025

    Severity: High

    Summary

    Cyber threat actors exploited Ivanti EPMM systems by chaining two vulnerabilities—CVE-2025-4427 (authentication bypass) and CVE-2025-4428 (code injection)—to gain initial access. Around May 15, 2025, they targeted the /mifs/rs/api/v2/ endpoint using crafted HTTP GET requests and the ?format= parameter to execute remote commands. These allowed them to collect system data, download files, map networks, extract LDAP credentials, and more. CISA recovered and analyzed two sets of malware from the /tmp directory, designed to maintain persistence and enable arbitrary code execution on the compromised EPMM servers.

    Indicators of Compromise (IOC) List

    IP Address

    82.132.235.212

    37.219.84.22

    88.194.29.21

    27.25.148.183

    83.229.126.234

    91.193.19.109

    47.120.74.19

    100.26.51.59

    150.241.71.231

    75.170.92.132

    5.181.159.149

    45.38.17.43

    75.170.92.132

    Hash : 

    e33103767524879293d1b576a8b6257d

    6ec2169312feb9fde0b17e244b32c37d

    5e9d283b483b8d5c637baf7cfdda0e08

    32f5c3c1582a77c004b1511c77454678

    8387a7ce9f2520d8956747fd247b19af

    c2046523f1cb487a473b0a46a5a4a957f1b3200a

    6d7e85862f925e83f6d0c29e291765548fac721a

    8b87a881f6f81afb596d3f98abef4225315e26bf

    2a96ce17ed8a025dd72f3729c247dfdb5b0a19a4

    9808ab3ddfb9ab4fe3af1b5d1f6a638bc03788e0

    1b1dda5e8e26da568559e0577769697c624df30e

    ac389c8b7f3d2fcf4fd73891f881b12b8343665b

    19b4df629f5b15e5ff742c70d2c7dc4dac29a7ce

    f780151c151b6cec853a278b4e847ef2af3dbc5d

    dce8faf5fcf5998b6802995914caa988ee1ebd92

    aa2cfeeca6c8e7743ad1a5996fe5ccc3d52e901d

    2bd61ce5bdd258c7dcbef53aedb1b018b8e0ae26

    065c1c2fb17ba1c3f882bead409215df612673cd455698768ed71412f9190ba3

    b618057de9a8bba95440f23b9cf6374cc66f2acd127b3d478684b22d8f11e00b

    c1f60ca5a5f7b94ab7122718a44b46de16c69d22c2eb62ce2948cab14bc78d50

    df501b238854d6579cafebeba82581a728e89ed1f6cd0da54c79ef4eb6f4f9fd

    b1b1cf33b8d3da35293d6b74c378f0cd9452a4351e26d07c896c4d9a8257ef89

    Filenames

    /mi/tomcat/webapps/mifs/401.jsp

    /mi/tomcat/webapps/mifs/css/css.css

    /mi/tomcat/webapps/mifs/session.jsp

    /mi/tomcat/webapps/mifs/baseURL.jsp

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    dstipaddress IN ("82.132.235.212","37.219.84.22","88.194.29.21","27.25.148.183","83.229.126.234","91.193.19.109","47.120.74.19","100.26.51.59","150.241.71.231","75.170.92.132","5.181.159.149","45.38.17.43","75.170.92.132") or srcipaddress IN ("82.132.235.212","37.219.84.22","88.194.29.21","27.25.148.183","83.229.126.234","91.193.19.109","47.120.74.19","100.26.51.59","150.241.71.231","75.170.92.132","5.181.159.149","45.38.17.43","75.170.92.132")

    Detection Query 2 :

    md5hash IN ("e33103767524879293d1b576a8b6257d","6ec2169312feb9fde0b17e244b32c37d","5e9d283b483b8d5c637baf7cfdda0e08","32f5c3c1582a77c004b1511c77454678","8387a7ce9f2520d8956747fd247b19af")

    Detection Query 3 :

    sha1hash IN ("19b4df629f5b15e5ff742c70d2c7dc4dac29a7ce","dce8faf5fcf5998b6802995914caa988ee1ebd92","f780151c151b6cec853a278b4e847ef2af3dbc5d","c2046523f1cb487a473b0a46a5a4a957f1b3200a","6d7e85862f925e83f6d0c29e291765548fac721a","8b87a881f6f81afb596d3f98abef4225315e26bf","2a96ce17ed8a025dd72f3729c247dfdb5b0a19a4","9808ab3ddfb9ab4fe3af1b5d1f6a638bc03788e0","1b1dda5e8e26da568559e0577769697c624df30e","ac389c8b7f3d2fcf4fd73891f881b12b8343665b","aa2cfeeca6c8e7743ad1a5996fe5ccc3d52e901d","2bd61ce5bdd258c7dcbef53aedb1b018b8e0ae26")

    Detection Query 4 :

    sha256hash IN ("065c1c2fb17ba1c3f882bead409215df612673cd455698768ed71412f9190ba3","b618057de9a8bba95440f23b9cf6374cc66f2acd127b3d478684b22d8f11e00b","c1f60ca5a5f7b94ab7122718a44b46de16c69d22c2eb62ce2948cab14bc78d50","df501b238854d6579cafebeba82581a728e89ed1f6cd0da54c79ef4eb6f4f9fd","b1b1cf33b8d3da35293d6b74c378f0cd9452a4351e26d07c896c4d9a8257ef89")

    Detection Query 5 :

    (resourcename = "Windows Security"  AND eventtype = "4663") AND filename IN ("/mi/tomcat/webapps/mifs/401.jsp","/mi/tomcat/webapps/mifs/css/css.css","/mi/tomcat/webapps/mifs/session.jsp","/mi/tomcat/webapps/mifs/baseURL.jsp")

    Detection Query 6 :

    technologygroup = "EDR" AND filename IN ("/mi/tomcat/webapps/mifs/401.jsp","/mi/tomcat/webapps/mifs/css/css.css","/mi/tomcat/webapps/mifs/session.jsp","/mi/tomcat/webapps/mifs/baseURL.jsp")

    Reference:

    https://www.cisa.gov/news-events/analysis-reports/ar25-261a


    Tags

    CISAVulnerabilityCVE-2025IvantiEPMM

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.