Ivanti EPMM Vulnerability Exploited by Advanced Persistent Threat Actors to Compromise Government Entities

Chinese state-sponsored threat actors have been exploiting a significant remote code execution vulnerability within Ivanti Endpoint Manager Mobile (EPMM), affecting various governmental and high-profile organizations globally. The vulnerability, designated as CVE-2025-4428, has been classified with a high severity rating.

The exploit allows attackers to execute code remotely on versions of Ivanti EPMM up to 12.5.0.0 through specially crafted API requests. Ivanti acknowledged the vulnerability along with a related authentication bypass bug (CVE-2025-4427) in a security update issued on May 13, 2025. They reported that both issues had previously been exploited against a select number of customers.

Research conducted by EclecticIQ, highlighted on May 15, indicates that CVE-2025-4428 has been actively exploited since its disclosure. The attacks have been associated with the UNC5221 threat group, which has demonstrated a consistent focus on exploiting zero-day vulnerabilities in Ivanti products. The group has a history of leveraging similar flaws, notably in Ivanti Connect Secure earlier this year.

EclecticIQ’s findings revealed the threat actors possess in-depth knowledge of Ivanti’s systems, typically targeting specific files that contain sensitive information, such as unencrypted MySQL credentials.

The targeted organizations include:

– UK National Health Service institutions
– A North American national healthcare and pharmaceutical provider
– A U.S. medical device manufacturer
– Municipal agencies in Scandinavia and the UK
– A German Federal Research Institute
– A prominent German telecommunications company and its IT subsidiaries
– A U.S.-based cybersecurity firm
– A major U.S. food service distributor
– An Irish aerospace leasing company
– A German industrial manufacturer
– A Japanese automotive electronics and powertrain supplier
– A U.S. firearms manufacturer
– A South Korean multinational banking institution

Confirmed breaches were substantiated by observations of reverse shells, data exfiltration events, database exports, persistent malware installations, and misuse of internal Office 365 tokens coupled with LDAP configurations.

Evidence of the threat actor’s espionage motives has been noted, with researchers observing reconnaissance activities aimed at high-value targets linked to strategic interests. The attackers executed commands to extract information regarding device specifics, user accounts, and configurations prior to deploying the KrystyLoader payload from a compromised AWS S3 bucket.

The command outputs were temporarily archived as disguised .JPG files in a publicly accessible directory and were subsequently deleted to avoid detection. This behavior points to an advanced level of data exfiltration tactics, likely employing HTTP GET requests for real-time information gathering while implementing cleanup measures to remove artifacts.

Additionally, the report from EclecticIQ revealed connections between the latest attacks and the Linux backdoor known as ‘Auto-Color,’ which had been initially identified by Palo Alto Networks’ Unit 42 in February, although without explicit attribution.

These attacks underscore the persistent targeting of network perimeter devices by Chinese espionage groups as a method to gain initial access to sensitive organizational infrastructure. The rapid exploitation observed shortly after the public disclosure of the vulnerabilities underscores the critical need for immediate application of security patches and updates.