A recent cybersecurity report reveals that a Chinese cyber espionage group has been exploiting two significant vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software to breach various organizations across Europe and the United States. The flaws, identified as CVE-2025-4427 and CVE-2025-4428, were discovered by EclecticIQ researchers and have been used as zero-day exploits before being patched by Ivanti. This alarming development shines a light on the increasing sophistication of cyber attacks targeting essential infrastructures.
Entities affected by this campaign include a local government authority and healthcare organizations in the UK, a research institute, a legal firm, a telecommunications company, and a manufacturing entity in Germany. Additionally, an aerospace leasing company in Ireland, a healthcare provider, a medical device manufacturer, a firearms manufacturer, and a cybersecurity firm in the US were also targeted, along with a multinational bank in South Korea and a Japanese automotive parts supplier. The extensive range of targets underscores the severity and scale of the threats posed by this campaign.
By exploiting the vulnerabilities in Ivanti’s software, attackers were able to achieve remote code execution on internet-exposed deployments without requiring authentication. Once inside, they established a reverse shell and deployed various malware, including KrustyLoader. They also accessed sensitive data from Ivanti’s databases, which included information about managed mobile devices and user credentials. Such access could potentially compromise thousands of devices within affected organizations, leading to far-reaching security implications.
The EclecticIQ report notes that the cyber group, referred to as UNC5221, has shown a remarkable understanding of EPMM’s architecture, utilizing its components for data extraction purposes. Security experts emphasize the need for organizations using Ivanti EPMM to promptly upgrade to fixed versions to mitigate these risks. Ivanti has advised users to upgrade to versions 11.12.0.5, 12.3.0.2, 12.4.0.2, or 12.5.0.1 to safeguard their systems. However, further investigation is necessary to ascertain if any organizations have already been compromised prior to the patching of these vulnerabilities.