Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier.
These flaws, when chained together, allow unauthenticated remote code execution (RCE) on internet-facing systems, posing a severe risk to enterprise security.
EclecticIQ analysts have confirmed active exploitation in the wild since the disclosure date, with attackers targeting critical sectors such as healthcare, telecommunications, aviation, finance, and defense across Europe, North America, and Asia-Pacific.
Ivanti has released patches to address these vulnerabilities and urges customers to follow the official security advisory to secure their environments immediately.
Critical Flaws Enable Remote Code Execution
According to the Report, EclecticIQ attributes this exploitation with high confidence to UNC5221, a China-nexus espionage group known for zero-day attacks on edge network appliances since at least 2023.
The attackers demonstrate deep knowledge of EPMM’s architecture, exploiting the /mifs/rs/api/v2/ endpoint via the ?format= parameter to execute malicious Java commands using reflection techniques.
These commands enable arbitrary code execution and establish reverse shells for continuous communication with compromised systems.
Sophisticated Tactics by UNC5221 Group
Post-exploitation, UNC5221 deploys KrustyLoader malware, delivered via compromised Amazon AWS S3 buckets, to install the Sliver backdoor, ensuring persistent access through AES-encrypted payloads loaded directly into memory as shellcode.
Additionally, hardcoded MySQL credentials in EPMM’s configuration files are abused to access the mifs database, exfiltrating sensitive data like device telemetry, LDAP user details, and Office 365 tokens, which could facilitate lateral movement and further espionage.
The threat actors also leverage tools like FRP (Fast Reverse Proxy) to establish SOCKS5 proxies for internal network reconnaissance and use obfuscated shell commands to gather system intelligence, saving outputs in fake JPG files to evade detection.
Infrastructure reuse, such as IP addresses previously tied to SAP NetWeaver exploits, and connections to the Auto-Color Linux backdoor further solidify the link to China-nexus cyber-espionage, likely aligned with state intelligence objectives.
The victimology spans global organizations, exposing vast datasets of personally identifiable information (PII) and credentials, amplifying the potential impact of these intrusions on enterprise and governmental security.
Organizations are advised to monitor HTTP request logs, file system activities in /tmp/ directories, and apply regex-based detection for suspicious RCE attempts to safeguard against this ongoing threat.
Indicators of Compromise (IOCs)
| Type | Indicator | Description |
|---|---|---|
| IP Address | 103.244.88[.]125 | Hosts FRP binary delivery |
| IP Address | 27.25.148[.]183 | Reused from prior UNC5221 campaigns |
| IP Address | 146.70.87[.]67:45020 | Linked to Auto-Color C2 infrastructure |
| Domain (AWS S3) | openrbf.s3.amazonaws[.]com, tkshopqd.s3.amazonaws[.]com | Used for KrustyLoader payload delivery |
| Domain (Staging URL) | http://abbeglasses.s3.amazonaws[.]com/dSn9tM | Hosts encrypted Sliver backdoor |
| File Hash (KrustyLoader) | 44c4a0d1826369993d1a2c4fcc00a86bf45723342cfd9f3a8b44b673eee6733a | Malware sample for persistence |