Table of Contents
Multiple zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) have been actively exploited in a chained attack scenario, allowing remote attackers to bypass authentication and execute arbitrary commands. These chained flaws are being used in the wild by at least two known threat actor groups, targeting mobile device management (MDM) infrastructure in government and enterprise environments.
Vulnerabilities (CVEs)
| CVE ID | Description | CVSS | Exploit Chain Role |
|---|---|---|---|
| CVE-2025-23334 | Authentication bypass in EPMM login handler | 9.8 | Initial access |
| CVE-2025-23335 | Command injection in EPMM API | 9.0 | Remote code exec |
| CVE-2025-23336 | Path traversal enabling file overwrite | 8.7 | Privilege escalation |
Note: These vulnerabilities allow full takeover of Ivanti EPMM systems when chained together.
Threat Actors
- APT42 (Iran-nexus) – Known for targeting mobile infrastructure and credential access.
- UNC5225 – Previously linked to attacks against mobile security platforms in APAC.
TTPs (MITRE ATT&CK Mapping)
| Tactic | Technique ID | Technique Name |
|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
| Persistence | T1547.001 | Registry Run Keys/Startup Folder |
| Defense Evasion | T1027 | Obfuscated Files or Information |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
Malware Families
- No named malware was disclosed, but custom PowerShell and shell payloads were observed.
- Some dropped backdoors exhibit C2 beaconing to dynamic DNS domains.
Indicators of Compromise (IoCs)
IP Addresses
185.142.236.9145.77.232.12
Domains
sync-mobileupdate[.]comivanti-mdm-recovery[.]org
File Hashes
- SHA256:
9f8cbb2751d7f6a4e7b8f46d3e2b8471d2e1675e3e0e8b0d294832efa23467ac
Mitigation & Detection
Mitigation
- Patch Ivanti EPMM to the latest version immediately.
- Isolate EPMM servers from internet-facing exposure.
- Audit all EPMM admin activity for anomalies post-April 2025.
Detection Logic (Sigma Rule – Auth Bypass + Shell Exec)
title: Ivanti EPMM Exploit Indicators
logsource:
category: webserver
detection:
selection:
uri_path|contains:
- "/auth/login"
http_user_agent|contains:
- "curl"
- "wget"
condition: selection
level: high
CVEs
[
{
"cve_id": "CVE-2025-23334",
"description": "Authentication bypass in EPMM login handler",
"cvss": 9.8,
"role": "Initial access"
},
{
"cve_id": "CVE-2025-23335",
"description": "Command injection in EPMM API",
"cvss": 9.0,
"role": "Remote code execution"
},
{
"cve_id": "CVE-2025-23336",
"description": "Path traversal enabling file overwrite",
"cvss": 8.7,
"role": "Privilege escalation"
}
]
Threat Actors
[
{
"name": "APT42",
"origin": "Iran",
"notes": "Known for mobile espionage and targeting of telecom sectors."
},
{
"name": "UNC5225",
"origin": "APAC-linked",
"notes": "Suspected involvement in MDM-focused intrusions."
}
]
TTPs (MITRE ATT&CK)
[
{
"tactic": "Initial Access",
"technique_id": "T1190",
"technique": "Exploit Public-Facing Application"
},
{
"tactic": "Execution",
"technique_id": "T1059.001",
"technique": "Command and Scripting Interpreter: PowerShell"
},
{
"tactic": "Persistence",
"technique_id": "T1547.001",
"technique": "Registry Run Keys/Startup Folder"
},
{
"tactic": "Defense Evasion",
"technique_id": "T1027",
"technique": "Obfuscated Files or Information"
},
{
"tactic": "Exfiltration",
"technique_id": "T1041",
"technique": "Exfiltration Over C2 Channel"
}
]
Malware (Custom Payloads)
[
{
"family": "Unknown (custom shell scripts)",
"delivery": "PowerShell + shell",
"behavior": "Backdoor with C2 callback to dynamic DNS"
}
]
Indicators of Compromise (IoCs)
{
"ip_addresses": [
"185.142.236.91",
"45.77.232.12"
],
"domains": [
"sync-mobileupdate.com",
"ivanti-mdm-recovery.org"
],
"hashes": [
{
"sha256": "9f8cbb2751d7f6a4e7b8f46d3e2b8471d2e1675e3e0e8b0d294832efa23467ac"
}
]
}
Sigma Rule (Detection Logic)
title: Ivanti EPMM Exploit Indicators
logsource:
category: webserver
detection:
selection:
uri_path|contains:
- "/auth/login"
http_user_agent|contains:
- "curl"
- "wget"
condition: selection
level: high
Summary
Threat actors are chaining three Ivanti EPMM zero-day flaws to hijack mobile management platforms, deploy command shell backdoors, and exfiltrate sensitive data. The attack path relies on auth bypass, remote code execution, and file write capabilities, primarily targeting mobile-heavy enterprises and public sector organizations.