1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • CISA flags some more serious Ivanti software flaws, so patch now

    From TechnologyDaily@1337:1/100 to All on Mon Sep 22 15:30:09 2025
    CISA flags some more serious Ivanti software flaws, so patch now

    Date:
    Mon, 22 Sep 2025 14:27:00 +0000

    Description:
    Two Ivanti flaws are being abused in the wild to obtain remote code execution capabilities.

    FULL STORY ======================================================================CISA warns attackers chained CVE-2025-4427 and CVE-2025-4428 to breach Ivanti EPMM systems Malware was delivered via EL injection and reconstructed from Base64-encoded payloads CISA did not confirm attribution; reports suggest possible Chinese targeting of Australian entity

    The US Cybersecurity and Infrastructure Security Agency (CISA) is warning organizations about two patched Ivanti flaws being chained together in real-life attacks.

    In a new security advisory, CISA said it was tipped off on cybercriminals using CVE-2025-4427, and CVE-2025-4428 - both affecting Ivantis Endpoint Manager Mobile (EPMM) solutions - to obtain initial access.

    The former is an authentication bypass in the API component of EPMM 12.5.0.0 and prior, which allows attackers to access protected resources without
    proper credentials via the API. It was given a severity score of 7.5/10
    (high) and was patched in May 2025. The latter, on the other hand, is a
    Remote Code Execution (RCE) bug in EPMMs API component, allowing unauthenticated attackers to run arbitrary code via crafted API requests. It was given a severity score of 8.8/10 (high) and was fixed at approximately
    the same time. Dropping malware

    CISA said that the attackers used these two flaws in a chain to drop two sets of malware .

    The first one includes components that inject a malicious listener into
    Apache Tomcat, allowing them to intercept specific HTTP requests and execute arbitrary Java code. The second malware set operates similarly, but uses a different class to process encoded password parameters in HTTP requests.

    Both sets were delivered using Java Expression Language (EL) injection via HTTP GET requests, the researchers explained. The payloads were encoded in Base64 and written to temporary directories in parts, and later
    reconstructed. That way, the attackers were able to evade being detected by traditional security tools.

    CISA did not discuss attribution so, officially, we dont know who the threat actors, or the victims, were in this attack. The Register , however, cited earlier reports that this might have been the work of a Chinese state-sponsored attacker going after an organization in Australia.

    Via The Register You might also like Ivanti patches two zero-days that could lead to RCE in Endpoint Manager Mobile Take a look at our guide to the best authenticator app We've rounded up the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/cisa-flags-some-more-serious-ivanti-sof tware-flaws-so-patch-now


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)