Chinese hackers are exploiting a remote code execution defects at the Ivanti & Point Manager Mobile (EPMM) to dissolve high-profile organizations worldwide.
The defect is identified as CVE-2025–4428 and a high-seriousness score is obtained.
The issue can be availed to remotely execute the code at the EPMM version 12.5.0.0 and through the first specially designed API requests.
Ivanti revealed simultaneous defects with an authentication bypass (CVE-2025-4427) and patched both of them on 13 May 2025, given that both issues were first exploited against “very limited number of customers”.
Tomorrow, Eclectic researcher Arda Buukkaya CVE-2025-4428 reported to be exploited extensively in the wild since 15 May, and attributed them to high confidence for the UNC52221 activity cluster.
The special threat group is considered a ivit specialist, who regularly exploits zero-day weaknesses in firm’s products, such as safe in January and again in April 2025.
The researcher confirmed this to Bleepingcomputer. He commented on the deep knowledge of the hackers about the Ivanti system, saying that they know which files keep the information required for the next stage of the attack, such as Cleartext MySQL credentials, and especially to target them.
Source: Eclecticiq
The latest UNC5221 exploitation campaign has targeted institutions:
- Britain national healthcare institute
- National Health Service/Pharma provider in North America
- American medical equipment manufacturer
- Municipal agencies in Scandinavia and UK
- German federal research institute
- German telecommunication giants and IT assistant
- US-based cyber security firm
- Major American Food distributor
- Irish aerospace leasing firm
- German industrial manufacturer
- Japanese motor vehicle electronics and powertrain supplier
- American firearm
- South Korean Multinational Commercial and Consumer Bank
These were confirmed, as clarified by reverse shells, data exfIs/database exports, frequent malware injections and misuse of internal office 365 tokens and LDAP configurations.
Source: Eclecticiq
Büyükkaya told Bleepingcomputer that the danger was most likely in spying on the actor, which was monitoring high-value targets related to strategic interests.
The danger actor performed host hosions by running a system command to collect details about devices, users, networks and configuration files before leaving the crystyloder payload from an AWS S3 bucket.
Source: Eclecticiq
The output of those commands was temporarily saved.
This indicates real -time data exfoliation, possibly through HTTP GET requests, followed by deformation evidence.
The EclecticIQ report also notes that the latest attacks by UNC5221 reported the link of the Linux backdoor ‘Auto-Rang’ for the first time by Unit 42 of Palo Alto Network in February, but without a clear atribution at that time.
The latest attacks indicate that Chinese spy groups continue to target the network circumference equipment for early access to target organizations.
The exploitation of Eclecticiq began two days after public disclosure, highlighting the criticism of implementing security updates as soon as possible.
Based on the analysis of 14M malicious tasks, search for the top 10 MITERAT & CK techniques behind the 93% attacks and how to defend them against them.
