CISA dropped a stark warning on September 18, 2025: attackers are actively exploiting a pair of vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) to deploy a stealthy, purpose-built malware toolkit that harvests cryptographic keys and lays down persistent web shells. The agency’s Malware Analysis Report (MAR) details how threat actors chain CVE-2025-4427 and CVE-2025-4428 to gain unauthenticated remote code execution, then move to steal ASP.NET MachineKey material—a systemic threat that can let them forge sessions and maintain access even after password rotations. Ivanti has released patches, and CISA is pushing immediate deployment of detection signatures and a full compromise assessment cycle.
The attack chain: what the malware actually does
The MAR dissects two sets of malware pulled from a real-world breach. The toolset includes .NET DLLs that run in memory, enumerate the host, and extract the ValidationKey and DecryptionKey from the ASP.NET MachineKey configuration. These keys protect authentication tokens and ViewState data; once an attacker holds them, they can craft session tokens at will, impersonate users, and sidestep many application-level trust assumptions.
The same operators dropped multiple ASPX and JSP web shells into plausible-looking web application paths—under directories like template layouts—so the files blend with legitimate content. The shells are password-protected (using SHA-512 hashes) and use Base64 plus XOR obfuscation to hide commands. They support interactive command execution, file uploads, and downloads, giving attackers redundant, HTTP-based backdoors that survive simple file removal.
Encoded PowerShell droppers (Base64 strings with -EncodedCommand) were used to install the payloads, a technique that evades signature-based tools and leans on legitimate system utilities. CISA also observed network-level evasion: the malware exfiltrates stolen keys through custom HTTP headers—one sample used X-TXT-NET—tunneling the data out amid normal web traffic.
All of this rides on the back of two related CVEs:
- CVE-2025-4427: an authentication bypass that lets unauthenticated users reach protected API endpoints.
- CVE-2025-4428: a remote code execution bug. When chained with the bypass, an attacker can execute arbitrary code without credentials.
The MAR confirms that the actors exploited this exact combination to get initial access and then drop the described implants. Multiple national CERTs and security vendors have corroborated active exploitation; the U.S. agency’s analysis now gives defenders a precise technical blueprint to detect and evict the threat.
What this means for you
The immediate audience is any organization running an on-premises Ivanti EPMM (formerly MobileIron Core) instance, especially those that are internet-facing. But the blast radius extends far beyond the MDM server itself.
For IT and security teams:
- MachineKey theft is a crisis-level event. If an attacker grabs your EPMM server’s MachineKey, they can forge authentication tokens that are valid across any application sharing that key material—potentially multiple web apps, portals, and integrated services. Rotating user passwords won’t stop them; the trust anchor itself is corrupted. You must reissue keys and re‑build trust.
- MDM compromise means endpoint compromise. A managed EPMM appliance can push configurations, profiles, and applications to thousands of enrolled mobile devices. An adversary with a persistent web shell can leverage that control to distribute further malware, exfiltrate data, or pivot deeper into the network.
- The web shells are built for persistence. With multiple redundant implants, password protection, and traffic camouflage, a simple patch won’t remove them. You need a forensic hunt and likely a full rebuild from clean media.
For Windows administrators specifically:
- If your organization’s EPMM appliance runs on Windows Server (a common deployment), the PowerShell dropper chains and .NET DLL artifacts leave traces in Windows event logs, process creation records, and file system audits. The SIGMA rules CISA released can plug directly into Windows Event Forwarding or SIEM pipelines.
- The YARA rules can scan Windows file shares and server volumes where an EPMM instance might store logs or temporary files. Even if the appliance itself is Linux-based, the web shells often persist on web servers that might be Windows-hosted in hybrid setups.
For developers and architects:
- Review any ASP.NET applications that share MachineKey settings with the compromised EPMM instance. Immediate key rotation is essential, but you’ll also need to audit session management and token validation code to ensure no lingering trust remains.
How we got here: the evolution of Ivanti EPMM threats
Ivanti EPMM has been in the crosshairs before. In early 2025, researchers and CERTs began flagging the two CVEs, noting that they could be chained for unauthenticated RCE. Security vendors started publishing IOCs and hunting guidance by mid-year, and CERT-EU urged organizations to filter API access and prioritize patching internet-facing appliances. Throughout 2025, Ivanti products—including Connect Secure and Policy Secure—were targeted by multiple threat actors, some attributed to Chinese state-sponsored groups. CISA had previously warned that adversaries can persist across factory resets in certain Ivanti appliances, raising the stakes for EPMM defenders.
On September 18, CISA released the MAR, shifting the focus from vulnerability disclosure to deep malware reverse engineering. The report is part of a broader U.S. government effort to equip defenders with machine-readable detection logic, not just advisory text. The inclusion of SIGMA and YARA rules alongside IOCs is a notable operational benefit; it lets teams automate hunts across SIEMs and EDRs rather than manually chasing indicators.
What to do now: a phased defense playbook
CISA’s guidance, blended with community advisories, yields a clear set of priorities. Treat every step as urgent.
1. Patch and isolate (same day)
- Apply Ivanti’s latest updates immediately. The vendor has released fixed builds for all affected EPMM versions. Check your current deployment and follow the upgrade path in Ivanti’s advisory.
- Restrict network exposure. If an appliance must stay internet-facing before patching, apply access control lists or a web application firewall to allow only trusted IPs. CERT-EU specifically recommended filtering requests to API endpoints like
/mifs/rs/api/v2/featureusage.
2. Deploy CISA’s detection rules
- Import the SIGMA rules into your SIEM. They focus on:
- PowerShell processes with
-EncodedCommandand suspicious Base64 content. - HTTP requests to unusual
.aspxor.jspendpoints, particularly under paths like/_layouts/,/templates/, or custom web app directories. - Outbound traffic carrying attacker-specific headers (e.g.,
X-TXT-NET). - Run the YARA signatures across Windows servers that host EPMM components, staging directories, or file servers where log exports land. Pay special attention to DLL files with low prevalence or suspicious compilation timestamps.
- Ingest the provided IOCs (file hashes, C2 IP addresses, filenames) into your endpoint and network detection tools. Scan historical logs going back at least 90 days.
3. Hunt for signs of compromise
- Web shells: Search web server logs for writes to
.aspxor.jspfiles in non-standard locations. Look for file creation timestamps that don’t match patching windows or admin activity. - MachineKey exfiltration: Audit proxy or firewall logs for requests containing unusual header values, especially values that look blocky or Base64-like. Focus on headers not normally used by the application.
- PowerShell anomalies: In Windows event logs (Event ID 4104 or 4688), flag any encoded command that decodes to network activity or file writes in EPMM-related paths.
4. Assume key compromise and respond
- If you find any indicator, initiate a formal incident response: isolate the appliance, capture a forensic image, preserve volatile logs.
- Rotate all secrets immediately. This means the EPMM MachineKey, any API keys stored in the appliance, service account credentials, and certificates issued to or by the system. A compromised MachineKey demands a full rekey, not just a regeneration—generate new strong keys and deploy them across all relying applications.
- Rebuild compromised appliances from a trusted, offline image. Do not rely on factory reset or snapshot rollback. CISA’s earlier Ivanti reports demonstrated that advanced actors can persist through those methods.
- Report the incident to CISA or your national CERT. Sharing forensic indicators helps the broader community.
Long‑term safeguards for MDM infrastructure
Beyond the immediate crunch, this incident reinforces architectural lessons:
- Segment MDM systems rigidly. Place them in a dedicated management zone with strict inbound and outbound rules. Limit which systems can talk to the MDM, and monitor all cross-zone traffic.
- Treat MachineKey material as a secret with rotation policies. If your EPMM appliance shares keys with other applications (a common scenario in enterprise portals), rotate those keys on a schedule and after any suspected event.
- Enable exhaustive logging on MDM servers and export logs to a secure, immutable store. Web server logs, application logs, and system audit trails from Windows or Linux hosts are your primary forensic sources.
- Pre-build clean golden images for rapid rebuild. Have an automated pipeline that deploys a fresh, patched EPMM instance from a known-good baseline, and test that restoration process quarterly.
Outlook: what to watch next
Defenders should expect threat actors to continue probing Ivanti appliances. The same C2 infrastructure observed in this campaign may surface in attacks against other Ivanti products. Monitor for:
- New web shell variants that adjust obfuscation or header names.
- Attempts to reuse stolen MachineKeys even after you think keys have been rotated—validate that old keys are truly revoked.
- Any unauthorized configuration changes pushed to managed mobile devices, which could signal that the attacker maintained a foothold after patching.
Ivanti has committed to hardening EPMM’s API surface, and the security community is sharing detection logic rapidly. For Windows-centric shops, the immediate operational win is integrating CISA’s SIGMA rules into existing logging pipelines and treating the MDM as a Tier 0 asset—one compromise away from domain-wide impact.