Full Report
A recently patched pair of security flaws affecting Ivanti Endpoint Manager Mobile (EPMM) software has been exploited by a China-nexus threat actor to target a wide range of sectors across Europe, North America, and the Asia-Pacific region. The vulnerabilities, tracked as CVE-2025-4427 (CVSS score: 5.3) and CVE-2025-4428 (CVSS score: 7.2), could be chained to execute arbitrary code on a
Analysis Summary
# Incident Report: Active Exploitation of Ivanti EPMM Vulnerabilities by UNC5221
## Executive Summary
A China-nexus threat actor, UNC5221, actively exploited a chain of recently patched vulnerabilities (CVE-2025-4427 and CVE-2025-4428) in Ivanti Endpoint Manager Mobile (EPMM) software starting May 15, 2025. The exploitation provided unauthenticated remote code execution, leading to network reconnaissance, deployment of the KrustyLoader malware, and potential compromise of thousands of managed mobile devices across multiple critical sectors globally. Response efforts are focused on understanding impact via database exfiltration and eradicating the deployed C2 infrastructure.
## Incident Details
- **Discovery Date:** Not explicitly stated, but exploitation activity began May 15, 2025, and was reported following the patch release by Ivanti last week (relative to the May 22, 2025 article date).
- **Incident Date:** Commenced on or about May 15, 2025.
- **Affected Organization:** Multiple organizations across Healthcare, Telecommunications, Aviation, Municipal Government, Finance, and Defense sectors.
- **Sector:** Cross-sector targeting (Critical Infrastructure, Finance, Gov).
- **Geography:** Europe, North America, and the Asia-Pacific region.
## Timeline of Events
### Initial Access
- **Date/Time:** On or about May 15, 2025.
- **Vector:** Chained exploitation of two unauthenticated vulnerabilities (CVE-2025-4427 and CVE-2025-4428) affecting Ivanti EPMM.
- **Details:** Attackers targeted the `/mifs/rs/api/v2/` endpoint to obtain an interactive reverse shell and execute arbitrary commands.
### Lateral Movement
- Attackers used obfuscated shell commands for host reconnaissance.
- The open-source tool Fast Reverse Proxy (FRP) was used to facilitate network reconnaissance and lateral movement.
- Threat actors targeted the `mifs` database, leveraging hard-coded MySQL credentials found in `/mi/files/system/.mifpp`, to gain unauthorized access.
### Data Exfiltration/Impact
- Sensitive data was successfully exfiltrated from the `mifs` database, potentially including visibility into managed mobile devices, LDAP users, and Office 365 refresh and access tokens.
- The primary impact stems from the potential to compromise thousands of managed enterprise mobile devices through the compromised EPMM server.
### Detection & Response
- **Detection:** Reported by EclecticIQ following the publication of Ivanti patches.
- **Response actions taken:** Not explicitly detailed, but focus is implied on addressing the vulnerability and associated C2 traffic (e.g., blocking the associated C2 IP).
## Attack Methodology
- **Initial Access:** Unauthenticated exploitation of Ivanti EPMM via vulnerabilities CVE-2025-4427/CVE-2025-4428.
- **Persistence:** Deployment of KrustyLoader, a known Rust-based loader attributed to UNC5221, to deliver subsequent payloads like Sliver.
- **Privilege Escalation:** Not explicitly detailed beyond command execution via the initial exploit chain.
- **Defense Evasion:** Use of obfuscated shell commands for host reconnaissance.
- **Credential Access:** Theft of hard-coded MySQL database credentials within EPMM files, leading to database access.
- **Discovery:** Obfuscated shell commands used for host reconnaissance; usage of FRP for network reconnaissance.
- **Lateral Movement:** Use of FRP; potential pivoting based on retrieved database information (LDAP, O365 tokens).
- **Collection:** Exfiltration of data from the `mifs` database concerning managed devices and user tokens.
- **Exfiltration:** Repurposing legitimate system components for covert data exfiltration.
- **Impact:** Remote access, manipulation, or compromise of thousands of managed mobile devices. Connection observed to an Auto-Color C2 server.
## Impact Assessment
- **Financial:** Not specified.
- **Data Breach:** Sensitive configuration and token data (LDAP users, Office 365 refresh/access tokens) retrieved via database access. Thousands of enterprise mobile devices potentially compromised.
- **Operational:** Potential widespread disruption via access to and manipulation of managed mobile devices.
- **Reputational:** High impact due to targeting of critical infrastructure organizations.
## Indicators of Compromise
- **Network indicators:** `146.70.87[.]67:45020` (Associated with Auto-Color C2 infrastructure issuing `curl` connectivity tests).
- **File indicators:** KrustyLoader (Rust-based loader).
- **Behavioral indicators:** Exploitation attempts targeting the `/mifs/rs/api/v2/` endpoint; use of FRP for network reconnaissance; outbound connectivity tests via `curl` immediately post-exploitation.
## Response Actions
- **Containment:** (Implied) Patching the Ivanti EPMM software to remediate CVE-2025-4427 and CVE-2025-4428. Blocking known C2 infrastructure associated with Auto-Color/UNC5221 activity.
- **Eradication:** Removing the deployed KrustyLoader and any subsequent payloads (like Sliver) from affected EPMM servers.
- **Recovery:** Resetting credentials, especially the hard-coded MySQL credentials, and reviewing logs for full scope of data exposure, including O365 tokens.
## Lessons Learned
- **Key takeaways:** Zero-day exploitation often follows immediate scanning activity (as indicated by GreyNoise monitoring). Sophisticated threat groups like UNC5221 can rapidly weaponize newly disclosed or rapidly developed exploits targeting edge appliances.
- **What could have been done better:** Organizations using Ivanti EPMM should rigorously follow vendor security advisories and deploy patches immediately, especially given the high-value targets often associated with these appliances.
## Recommendations
- Immediately apply security updates released by Ivanti for EPMM software to remediate CVE-2025-4427 and CVE-2025-4428.
- Conduct threat hunting on network devices for signs of Fast Reverse Proxy (FRP) usage or KrustyLoader artifacts.
- Rotate credentials exposed via configuration files if endpoint devices were found to be compromised, specifically reviewing MySQL database credentials stored in configuration paths.
- Implement Network Detection and Response (NDR) to monitor for unusual outbound traffic originating from core management servers, such as staging beaconing behavior seen with Auto-Color.