Exploitation of Ivanti EPMM Vulnerabilities by Chinese Cyber Actors in Global Enterprise Network Intrusions

A recently addressed pair of security vulnerabilities within Ivanti Endpoint Manager Mobile (EPMM) software has been exploited by a China-based threat actor targeting various sectors across Europe, North America, and the Asia-Pacific region.

These vulnerabilities, designated as CVE-2025-4427 (CVSS score: 5.3) and CVE-2025-4428 (CVSS score: 7.2), can be leveraged in tandem to execute arbitrary code on affected devices without requiring authentication. Ivanti rectified these issues last week.

According to a report from EclecticIQ, the vulnerability exploit has been attributed to UNC5221, a Chinese cyber espionage group recognized for targeting edge network appliances since at least 2023. This group has also been linked to recent attempts to exploit SAP NetWeaver instances vulnerable to CVE-2025-31324.

The earliest recorded instances of exploitation date back to May 15, 2025, with attacks aimed at multiple sectors, including healthcare, telecommunications, aviation, municipal government, finance, and defense.

“UNC5221 showcases a profound understanding of EPMM’s internal framework, effectively repurposing legitimate system components for covert data exfiltration,” noted security researcher Arda Büyükkaya. “Given EPMM’s significance in managing and deploying configurations to enterprise mobile devices, a successful exploitation could enable threat actors to remotely access, manipulate, or compromise numerous managed devices within an organization.”

The attack sequence begins by targeting the “/mifs/rs/api/v2/” endpoint to gain an interactive reverse shell, allowing the execution of arbitrary commands on Ivanti EPMM deployments. This is followed by the deployment of KrustyLoader, a Rust-based loader associated with UNC5221, which facilitates the subsequent delivery of additional payloads such as Sliver.

Threat actors have been identified as also compromising the mifs database by utilizing hard-coded MySQL database credentials found in /mi/files/system/.mifpp, enabling unauthorized access to sensitive data that provides insight into managed mobile devices, LDAP users, and Office 365 refresh and access tokens.

The operations are characterized by the implementation of obfuscated shell commands for host reconnaissance before deploying KrustyLoader, which is sourced from an AWS S3 bucket, using Fast Reverse Proxy (FRP) for network reconnaissance and lateral movement. It is pertinent to note that FRP is an open-source tool frequently used by various Chinese hacking groups.

EclecticIQ has also pinpointed a command-and-control (C2) server linked to Auto-Color, a Linux backdoor previously documented by Palo Alto Networks’ Unit 42, which was utilized in attacks targeting universities and government entities across North America and Asia between November and December 2024.

The IP address 146.70.87[.]67:45020, historically associated with Auto-Color’s command-and-control infrastructure, was observed conducting outbound connectivity tests via curl shortly after the exploitation of Ivanti EPMM servers. “This behavior aligns with Auto-Color’s staging and beaconing patterns. Collectively, these indicators are likely indicative of activity linked to China,” Büyükkaya pointed out.

This information emerges alongside observations from threat intelligence firm GreyNoise, which reported a marked increase in scanning activities directed towards Ivanti Connect Secure and Pulse Secure products prior to the acknowledgment of vulnerabilities CVE-2025-4427 and CVE-2025-4428.

“While the scanning we observed was not directly associated with EPMM, the timeline underlines an essential reality: scanning activity typically precedes the public revelation of zero-day vulnerabilities,” the company stated. “It serves as an early warning—a signal that attackers are probing critical systems, potentially in preparation for exploitation.”