The U.S. Cybersecurity and Infrastructure Security Agency has published a detailed analysis of malware that exploits two vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) to plant persistent backdoors in Apache Tomcat. The report, released September 18, provides concrete detection rules and evidence that attackers are actively using the technique to achieve unauthenticated remote code execution on unpatched servers.
The delivery mechanism: chunked EL injection
Attackers target the /mifs/rs/api/v2/featureusage endpoint with carefully crafted HTTP GET requests. By injecting Java Expression Language (EL) into the format parameter, they can execute arbitrary server-side commands without authentication.
To evade signature-based detection and size limits, the payload is split into multiple Base64-encoded chunks. Each chunk is delivered in a separate request that opens a file in append mode—usually /tmp/web-install.jar. The first request creates the file, and subsequent requests append to it until the entire malicious JAR has been reconstructed on disk.
This technique combines defense evasion with reliability. Instead of a single conspicuous upload, the attacker’s activity blends into normal API traffic. Once the loader JAR is fully written, the real work begins.
From loader to listener: two variants, same goal
CISA’s analysts recovered two distinct malware sets from a compromised organization. Both install a malicious servlet listener inside Tomcat, but they use slightly different methods.
Set 1: ReflectUtil and SecurityHandlerWanListener
The loader JAR (referred to as Loader 1) contains a manager class named ReflectUtil.class. When executed, it decodes an embedded Base64+gzip blob to produce another class, SecurityHandlerWanListener.class. It then uses ClassLoader APIs to reflectively load that class and add it to Tomcat’s event listener list. No files are written to disk during the injection phase—the listener lives entirely in memory.
The listener itself waits for HTTP requests that contain a specific secret string (pass 7c6a8867d728c3bb) and a Referer header set to https://www.live.com. Only when both conditions are met does it kick into action: it reads a Base64-encoded payload from the request body, AES-decrypts it with a key stored in the session, and uses the decrypted bytecode to define and execute a new Java class. The attacker can run any code the JVM can reach—system commands, network connections, file operations—all without further authentication.
Set 2: WebAndroidAppInstaller
The second set uses a loader JAR (Loader 2) that drops WebAndroidAppInstaller.class. This listener intercepts form-encoded POST requests, extracts a password parameter, Base64-decodes it, and then AES-decrypts it with the hard‑coded key 3c6e0b8a9c15224a. The decrypted content is used to define and load a new class, and the output of that class is encrypted with the same key, Base64-encoded, and sent back to the attacker along with an MD5 digest for request validation.
Both approaches achieve the same operational result: an HTTP‑accessible backdoor that provides arbitrary code execution inside the web application’s Java process. The listener persists as long as Tomcat is running. A simple service restart won’t remove it—only a full redeployment or re-imaging eliminates it.
What’s at stake for your organization
Ivanti EPMM (formerly MobileIron) is a mobile device management platform. Security teams rely on it to configure, monitor, and lock down thousands of corporate mobile devices. That central role makes it an extraordinarily high‑value target. A successful compromise can yield:
- Device control: The attacker can push malicious profiles, apps, or configuration changes to every enrolled device.
- Credential harvesting: The backdoor can intercept authentication tokens, LDAP credentials, and service account passwords.
- Lateral movement: From the MDM server, an attacker can pivot to other systems on the internal network, including Active Directory and file shares.
For IT administrators managing on‑premises EPMM instances, this is a critical‑severity scenario. Even if you personally don’t touch the server, your enterprise might. For everyday users with a company‑managed phone, the impact is indirect but real: a compromised MDM could wipe your device, steal sensitive data, or install surveillance software without any visible sign.
How we got here: timeline of a high‑risk exploit chain
- May 13, 2025 – Ivanti releases patches for CVE‑2025‑4427 (authentication bypass via EL injection) and CVE‑2025‑4428 (code injection). The company publishes an advisory and urges immediate upgrades.
- May 15, 2025 – A proof‑of‑concept exploit appears publicly. Security researchers (including Rapid7, ProjectDiscovery, and watchTowr) publish technical deep‑dives, making exploitation straightforward for virtually any threat actor.
- May 19, 2025 – CISA adds both CVEs to its Known Exploited Vulnerabilities (KEV) catalog, imposing a near‑term patch deadline on U.S. federal agencies and signaling widespread risk.
- Summer 2025 – Active exploitation is confirmed. Attackers use the public PoC to deliver the malware sets described above, compromising exposed EPMM instances.
- September 18, 2025 – CISA publishes Malware Analysis Report AR25‑261A, including file hashes, YARA rules, a SIGMA detection rule, and STIX IOC bundles. The report is based on artifacts recovered from a victim organization.
Affected versions: 11.12.0.4 and earlier, 12.3.0.1 and earlier, 12.4.0.1 and earlier, and 12.5.0.0. Fixed versions: 11.12.0.5, 12.3.0.2, 12.4.0.2, 12.5.0.1, and any later builds.
Your immediate action plan
1. Patch now
Upgrade every EPMM instance to a remediated build. This is the single most important step. Open a maintenance window, test the upgrade on a staging server if possible, and apply the fix.
| Affected version | Minimum fixed version |
|---|---|
| 11.12.0.4 and prior | 11.12.0.5 |
| 12.3.0.1 and prior | 12.3.0.2 |
| 12.4.0.1 and prior | 12.4.0.2 |
| 12.5.0.0 | 12.5.0.1 |
2. Network lockdown
Restrict management interface access to trusted IPs only. Use VPNs and jump hosts. Block outbound traffic from the EPMM server that isn’t required for business operations—C2 channels rely on being able to reach the internet.
3. Deploy detection signatures
CISA’s MAR includes everything you need to spot the known malware families:
- YARA rules – For Loader 1, ReflectUtil.class, SecurityHandlerWanListener.class, Loader 2, and WebAndroidAppInstaller.class.
- SIGMA rule – Detects the abused URL paths, suspicious EL-injection patterns, and known bad commands/hashes in web logs.
- IOC bundle – SHA256, SHA1, MD5 hashes, IP addresses, and file paths. Import them into your EDR, SIEM, and threat intelligence platforms.
4. Hunt for indicators
Even after patching, assume an attacker may have already slipped in. Look for:
- Files named
web-install.jar,ReflectUtil.class,SecurityHandlerWanListener.class, orWebAndroidAppInstaller.classin/tmpor Tomcat work directories. - Web access logs showing repeated GET requests to
/mifs/rs/api/v2/*with longformat=parameters full of Base64 strings. - HTTP requests containing the strings
pass 7c6a8867d728c3bborReferer: https://www.live.com—clear signs of Set 1 activity. - Unexpected outbound connections from the Java process to IPs listed in the CISA IOC.
5. If compromise is confirmed
- Isolate the server immediately. Take it offline or segment it at the network level.
- Preserve evidence: capture memory snapshots, forensic disk images, and all logs.
- Do not attempt in‑place cleaning. Tomcat listener persistence can be deeply embedded. Re‑image the host and rebuild the application from known‑good backups.
- Rotate all credentials that the server could have accessed: LDAP/AD service accounts, API keys, local admin passwords, and any secrets used for device enrollment.
6. Treat MDM as a high‑value asset
Going forward, apply the same protections to your MDM infrastructure that you would to a domain controller. That means:
- Continuous log monitoring with behavioral analytics.
- Multi‑party approval for administrative changes.
- Regular integrity checks using vendor‑provided tools.
- Frequent vulnerability scans and tight change‑control processes.
Looking ahead: the MDM threat is here to stay
The Ivanti EPMM incident is not an isolated event. MDM platforms will continue to be high‑value targets because they sit at the intersection of identity, endpoint control, and data access. Public proof‑of‑concept code drastically lowers the bar for entry, and the reflective loading techniques seen here are likely to appear in other malware families.
CISA’s report is a model of actionable threat intelligence: it gives defenders the technical facts, the signatures, and the hunting guidance. But the real defense is speed—patching before the next wave of opportunistic attacks. Assume that if your EPMM server was exposed to the internet after May 13, 2025, it is under active scrutiny. Act accordingly.