By Sead Fadilpašić
Copyright techradar
Skip to main content
Tech Radar Pro
Tech Radar Gaming
Close main menu
the business technology experts
België (Nederlands)
Deutschland
North America
US (English)
Australasia
New Zealand
View Profile
Search TechRadar
Expert Insights
Website builders
Web hosting
Best web hosting
Best office chairs
Best website builder
Best antivirus
Expert Insights
Don’t miss these
French government hit by Chinese hackers exploiting Ivanti security flaws
This serious Microsoft Entra flaw could have let hackers infiltrate any user, so patch now
CISA warns hackers are actively exploiting critical CitrixBleed 2
Microsoft’s latest major patch fixes a serious zero-day flaw, and a host of other issues – so update now
CISA is warning of a worrying Git security flaw, so stay alert
Worrying TP-Link router flaws could let botnets attack your Microsoft 365 accounts – so update now
Citrix patches a trio of high-severity security bugs, so be on your guard
HPE warns hardcoded passwords in Aruba hardware could pose a major security risk
Security flaws in key Nvidia enterprise tool could have let hackers run malware on Windows and Linux systems
Signal clone used by federal agencies hit in attacks targeting major flaws – CISA says patch immediately
FBI warns Russian hackers are targeting an old Cisco security flaw, so patch now
Another top vibe coding platform has some worrying security flaws – here’s what we know
SAP users patch now – worrying S/4HANA vulnerability being exploited in the wild
CitrixBleed 2 flaws are officially here – so get patching or leave your systems at risk
Cisco ISE maximum severity flaw lets hackers execute root code
CISA flags some more serious Ivanti software flaws, so patch now
Sead Fadilpašić
22 September 2025
Two worrying Ivanti flaws are being abused in the wild
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
(Image credit: Shutterstock)
CISA warns attackers chained CVE-2025-4427 and CVE-2025-4428 to breach Ivanti EPMM systems
Malware was delivered via EL injection and reconstructed from Base64-encoded payloads
CISA did not confirm attribution; reports suggest possible Chinese targeting of Australian entity
The US Cybersecurity and Infrastructure Security Agency (CISA) is warning organizations about two patched Ivanti flaws being chained together in real-life attacks.
In a new security advisory, CISA said it was tipped off on cybercriminals using CVE-2025-4427, and CVE-2025-4428 – both affecting Ivanti’s Endpoint Manager Mobile (EPMM) solutions – to obtain initial access.
The former is an authentication bypass in the API component of EPMM 12.5.0.0 and prior, which allows attackers to access protected resources without proper credentials via the API. It was given a severity score of 7.5/10 (high) and was patched in May 2025. The latter, on the other hand, is a Remote Code Execution (RCE) bug in EPMM’s API component, allowing unauthenticated attackers to run arbitrary code via crafted API requests. It was given a severity score of 8.8/10 (high) and was fixed at approximately the same time.
You may like
French government hit by Chinese hackers exploiting Ivanti security flaws
This serious Microsoft Entra flaw could have let hackers infiltrate any user, so patch now
CISA warns hackers are actively exploiting critical CitrixBleed 2
Dropping malware
CISA said that the attackers used these two flaws in a chain to drop two sets of malware.
The first one includes components that inject a malicious listener into Apache Tomcat, allowing them to intercept specific HTTP requests and execute arbitrary Java code. The second malware set operates similarly, but uses a different class to process encoded password parameters in HTTP requests.
Both sets were delivered using Java Expression Language (EL) injection via HTTP GET requests, the researchers explained. The payloads were encoded in Base64 and written to temporary directories in parts, and later reconstructed. That way, the attackers were able to evade being detected by traditional security tools.
CISA did not discuss attribution so, officially, we don’t know who the threat actors, or the victims, were in this attack. The Register, however, cited earlier reports that this might have been the work of a Chinese state-sponsored attacker going after an organization in Australia.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
Via The Register
You might also like
Ivanti patches two zero-days that could lead to RCE in Endpoint Manager Mobile
Take a look at our guide to the best authenticator app
We’ve rounded up the best password managers
Sead Fadilpašić
Social Links Navigation
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
French government hit by Chinese hackers exploiting Ivanti security flaws
This serious Microsoft Entra flaw could have let hackers infiltrate any user, so patch now
CISA warns hackers are actively exploiting critical CitrixBleed 2
Microsoft’s latest major patch fixes a serious zero-day flaw, and a host of other issues – so update now
CISA is warning of a worrying Git security flaw, so stay alert
Worrying TP-Link router flaws could let botnets attack your Microsoft 365 accounts – so update now
Latest in Security
Hackers are using GPT-4 to build a virtual assistant – here’s what we know
Scammers build fake FBI crime reporting portals to steal personal info – warns FBI
Ransomware hackers could be targeting GoAnywhere MFT once again – here’s what we know
EU says ransomware to blame for attack which caused chaos at airports
This serious Microsoft Entra flaw could have let hackers infiltrate any user, so patch now
VPS servers hijacked into malware proxies – here’s how to stay safe
Latest in News
Windows 11 could bring back an old feature for wallpapers from Windows Vista – and it’s about time
How to watch British Open snooker on ITVX (it’s free)
New Windows 11 25H2 update is about to land on your PC – but where’s the excitement?
First trailer for The Mandalorian & Grogu reveals Sigourney Weaver’s mystery Star Wars character, Rotta the Hutt, and the return of The Rise of Skywalker’s best creature
Montblanc just released an e-notebook, and yes it’s staggeringly expensive
PureVPN Linux apps found to leak IPv6 traffic and mess with your firewall – here’s how to secure your data
LATEST ARTICLES
Huawei is planning a 256-core CPU monster to take on AMD EPYC and Intel Xeon range but it won’t land till 2028 – at least that’s the official line
First trailer for The Mandalorian & Grogu reveals Sigourney Weaver’s mystery Star Wars character, Rotta the Hutt, and the return of The Rise of Skywalker’s best creature
Windows 11 could bring back an old feature for wallpapers from Windows Vista – and it’s about time
I review home gadgets for a living, and this air circulator fan is hands-down the best thing I’ve tested this year – here’s why
Hackers are using GPT-4 to build a virtual assistant – here’s what we know
TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.
Contact Future’s experts
Terms and conditions
Privacy policy
Cookies policy
Advertise with us
Web notifications
Accessibility Statement
Future US, Inc. Full 7th Floor, 130 West 42nd Street,
Please login or signup to comment
Please wait…
