May 22, 2025, The Hacker News reported that the Chinese cyberespionage group UNC5221 exploited two recently patched vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) software to conduct targeted attacks globally. The vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, allow arbitrary code execution on vulnerable devices without authentication.
The attacks, which began on May 15, 2025, targeted critical sectors such as healthcare, telecommunications, aviation, local government, finance, and defense in Europe, North America, and the Asia-Pacific region. UNC5221 demonstrated deep knowledge of EPMM's internal architecture, using legitimate system components to stealthily exfiltrate data.
The group exploited the “/mifs/rs/api/v2/” endpoint to gain an interactive reverse shell and execute remote commands on Ivanti EPMM implementations. They subsequently deployed KrustyLoader, a Rust-based loader attributed to UNC5221, which allows the delivery of additional payloads such as Sliver. The attackers also used hard-coded MySQL credentials to gain unauthorized access to the database and exfiltrate sensitive data related to managed mobile devices, LDAP users, and Office 365 access tokens.
The attacks are characterized by the use of obfuscated shell commands for host reconnaissance, followed by the release of KrustyLoader from an AWS S3 bucket and the use of Fast Reverse Proxy (FRP) to facilitate network reconnaissance and lateral movement. FRP is an open-source tool widely shared among Chinese hacking groups.
Ivanti has released patches for both vulnerabilities and strongly recommends that customers follow the guidelines outlined in the official security advisory to secure their environments as soon as possible.
The UNC5221 attacks highlight the importance of proactively managing vulnerabilities and ensuring the security of corporate mobile devices. Organizations must ensure they apply security patches promptly and continuously monitor their infrastructure for suspicious activity.