惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

美团技术团队
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
博客园 - Franky
有赞技术团队
有赞技术团队
博客园 - 司徒正美
量子位
N
News and Events Feed by Topic
T
Threatpost
Last Week in AI
Last Week in AI
D
Darknet – Hacking Tools, Hacker News & Cyber Security
酷 壳 – CoolShell
酷 壳 – CoolShell
C
CERT Recently Published Vulnerability Notes
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
I
Intezer
人人都是产品经理
人人都是产品经理
T
Tenable Blog
IT之家
IT之家
雷峰网
雷峰网
腾讯CDC
博客园 - 聂微东
V
Visual Studio Blog
S
SegmentFault 最新的问题
Scott Helme
Scott Helme
Spread Privacy
Spread Privacy
月光博客
月光博客
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
V
V2EX
大猫的无限游戏
大猫的无限游戏
Apple Machine Learning Research
Apple Machine Learning Research
爱范儿
爱范儿
T
Tailwind CSS Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
罗磊的独立博客
N
Netflix TechBlog - Medium
J
Java Code Geeks
宝玉的分享
宝玉的分享
F
Full Disclosure
WordPress大学
WordPress大学
A
Arctic Wolf
小众软件
小众软件
AWS News Blog
AWS News Blog
Attack and Defense Labs
Attack and Defense Labs
NISL@THU
NISL@THU
AI
AI
Hugging Face - Blog
Hugging Face - Blog
F
Fortinet All Blogs
云风的 BLOG
云风的 BLOG
N
News | PayPal Newsroom
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org

The Register - Security: CSO

Anthropic's Mythos has The Kettle crew curious, skeptical 'People's Panel' to check if UK wants controversial Digital ID will cost £630K Top npm package backdoored to drop dirty RAT on dev machines Lightning-fast exploits mean patch fast, says Cisco Talos Lightning-fast exploits mean patch fast, says Cisco Talos Smooth criminals talking their way into cloud environments, Google says Cybercrime up 245% since the start of the Iran war Scattered Lapsus$ Hunters seeks women to defraud helpdesks Every day in every way, passwords are getting worse CISA quietly updated ransomware flags on 59 flaws last year Deepfake job seeker applied to work for an AI security firm Deepfake job seeker applied to work for an AI security firm AI-powered cyberattack kits are 'just a matter of time' AI-powered cyberattack kits are 'just a matter of time' FortiGate SSO bug still exploitable despite December patch FortiGate SSO bug still exploitable despite December patch Judge tosses CrowdStrike shareholder suit over 2024 outage DRAM shortage may drive firewall prices higher: analysts Ransomware attacks kept climbing in 2025 as gangs refused to stay dead Around 1,000 systems compromised in ransomware attack on Romanian water agency 1,000 systems pwned in Romanian Waters ransomware attack Half of exposed React servers remain unpatched amid attacks CISA warns spyware crews are breaking into Signal and WhatsApp accounts FCC guts Salt Typhoon telco rules despite espionage risk CISA orders feds to patch Oracle Identity Manager zero-day SEC drops SolarWinds lawsuit that painted a target on CISOs everywhere SEC bails on SolarWinds lawsuit Palo Alto kit sees massive surge in malicious activity amid mystery traffic flood Palo Alto kit sees massive surge in malicious activity Countries use cyber targeting to plan strikes: Amazon CSO Overconfidence is the new zero-day as teams stumble through cyber simulations UK's Cyber Security and Resilience Bill makes Parliamentary debut Cyber insurers paid out over twice as much for UK ransomware attacks last year Cyberpunks mess with Canada's water, energy, and farm systems Trump's workforce cuts blamed as America's cyber edge dulls Feds flag active exploitation of patched Windows SMB vuln How malware vaccines could stop ransomware's rampage Salesforce refuses to pay ransomware crims' extortion demand Germany slams brakes on EU's Chat Control snoopfest Germany slams brakes on EU's Chat Control snoopfest Employees regularly paste company secrets into ChatGPT Oracle tells Clop-targeted EBS users to apply July patch Red Hat repos raided, claims cybercrew, files stolen Suspected Chinese spies broke into 'numerous' enterprises UK gov acknowledges 'strong case' for JLR financial support JLR extends shutdown – again – as toll on workers laid bare UK chancellor blames cyberattacks on Russia despite evidence Fortra discloses 10/10 severity bug in GoAnywhere MFT Entra ID bug could have granted access to every tenant UEFI Secure Boot for Linux Arm64 – where do we stand? JLR says cyber cleanup to take additional week Insider blamed for FinWise data breach affecting nearly 700K Nork snoops whip up fake military ID with help from ChatGPT UK government dragged for incomplete security reforms Church of England abuse victims exposed by lawyer's email US spy chief claims UK backdown on Apple backdoor demand Workday confirms CRM breach via social engineering Black Hat/DEF CON: AI more useful for defense than hacking Ex-White House cyber guru talks Microsoft security fails CISA releases malware analysis for Sharepoint Server attack China: US spies used Microsoft Exchange 0-day to steal info Security pros drowning in threat-intel data Identity attacks surge 156% as phishermen get craftier Organizations can’t keep up with supply chain security musts Amazon CISO: Iranian hacking crews ‘on high alert’ UK data watchdog fines 23andMe £2.3M over 2023 breach Employers are demanding too much from junior cyber recruits FCA warned four staffers who pocketed regulator data Ransomware just wrecked your network – now what? Ex-NSA listened to Scattered Spider's calls: 'They're good' Snowflake CISO talks lessons learned from breaches, improv Why CVSS is failing us and what we can do about it Infosec pros still aren't nailing the basics of AI security Ransomware crims targeting systems between IT and operations Why aggregating asset inventory leads to better security NCSC and industry at odds over how to tackle shoddy software Powerschool extortionists may not have deleted stolen data CrowdStrike trims workforce by 5 percent, aims to rely on AI NSO Group must pay Meta $168M in WhatsApp spy case Ghost in the shell script: Boffins seek code correctness How Intruder finds what others miss in cloud security Linux malware can avoid syscall-based endpoint protection Infosec pro blabs about alleged malware mishap on LinkedIn The future of AI in cybersecurity in a word – optimistic CVE board 'kept in the dark' on funding, members say Security snafus caused by third parties up from 15% to 30% Blue Shield shared 4.7M people's health info with Google Ads Who needs phishing when your login's already in the wild? US cyber defenses are being dismantled from the inside Bug hunter obtains an SSL cert for Alibaba Cloud in 5 steps
Ivanti RCE attacks 'ongoing,' exploitation hits clouds
Jessica Lyons Jessica Lyons · 2025-05-21 · via The Register - Security: CSO

CSO

'Ongoing' Ivanti hijack bug exploitation reaches clouds

Nothing like insecure code in security suites

The "ongoing exploitation" of two Ivanti bugs has now extended beyond on-premises environments and hit customers' cloud instances, according to security shop Wiz.

CVE-2025-4427 is an authenticated bypass vulnerability and CVE-2025-4428 is a post-authentication remote-code execution (RCE) flaw. Together they allow a miscreant to run malware on a vulnerable deployment and hijack it. Both holes affect Ivanti Endpoint Manager Mobile (EPMM), on-premises software used to manage company-issued devices and applications and secure access to sensitive corporate data. The security suite can also be deployed in the cloud using customer-managed resources.

There are at least a couple proof-of-concept (POC) exploits on the loose for these holes, so if you haven't already: Patch now.

Ivanti disclosed the bugs and issued patches for both last week, warning in a security alert it was "aware of a very limited number of customers" whose products had been exploited.

The flaws involve some unnamed open source libraries used in its code, according to a statement an Ivanti spokesperson emailed The Register Tuesday:

Ivanti has released a fix for vulnerabilities associated with open-source libraries used in our on-premise Endpoint Manager Mobile products. We are actively working with our security partners and the maintainers of the libraries to determine if a CVE against the libraries is warranted. We remain committed to collaboration and transparency with our stakeholders and the broader security ecosystem.    

At the time of disclosure, we are aware of a very limited number of on-premise EPMM customers whose solution has been exploited.

Wiz, on the other hand, asserts the exploitation extends into customers' self-managed cloud environments.

"Wiz Research has observed ongoing exploitation of these vulnerabilities in-the-wild targeting exposed and vulnerable EPMM instances in cloud environments since May 16," the cloud security firm's bug hunters Merav Bar, Shahar Dorfman, and Gili Tikochinski wrote Tuesday.

While we don't know who is behind the attacks, in at least once instance the miscreants used their ill-gotten access to deploy a remote-control program called Sliver within victims' cloud environments, we're told. Sliver is a favorite of all types of baddies, from Chinese and Russian government goons to ransomware gangs, because it ensures long-term total access to the compromised system for future snooping, ransomware deployment, credential stealing campaigns, and many other illicit activities.

On Monday, the US govt's Cybersecurity and Infrastructure Security Agency (CISA) added both bugs to its Known Exploited Vulnerabilities Catalog.

While neither CVE-2025-4427 nor CVE-2025-442 is considered critical on their own, receiving CVSS severity scores of 5.3 (medium) and 7.2 (high) out of 10, respectively, "in combination they should certainly be treated as critical," according to the Wiz kids.

The soon-to-be-Google-owned security shop said the attacks coincide with the emergence of POCs including those published by watchTowr and ProjectDiscovery on May 15.

About those open-source libraries

Wiz also indicates that the unnamed open-source libraries involved the insecure processing of Java Expression Language, and Spring.

We're told CVE-2025-4428 stems from the unsafe use of Java Expression Language in error messages. "It arises from the unsafe handling of user-supplied input within error messages processed via Spring's AbstractMessageSource, which allows attacker-controlled EL (Expression Language) injection," the researchers wrote.

Meanwhile, CVE-2025-4427, according to Wiz, is caused by improper request handling in EPMM's route configuration:

The security researchers say they spotted "multiple malicious payloads" being deployed post exploitation, including the Sliver code mentioned earlier.

Routes like /rs/api/v2/featureusage were unintentionally exposed without requiring authentication due to missing intercept-url rules in Spring Security configurations. This allows unauthenticated access to the RCE sink, enabling full pre-auth RCE when chained with CVE-2025-4428. 

This remote-control tool used 77.221.157[.]154 as its command-and-control server, which is significant because Wiz spotted this same IP address being used to attack similar flaws in exposed Palo Alto Networks' appliances in the fall. That didn't end well for buggy PAN-OS kits.

According to the bug hunters, the IP address is still in operation and a TLS certificate used by it hasn't changed since November 2024. "This continuity leads us to conclude that the same actor has been opportunistically targeting both PAN-OS and Ivanti EPMM appliances," the Wiz kids wrote.

The Register asked Ivanti for more information about the scope of exploitation, the open-source libraries linked to the security flaws, and other details. A spokesperson side-stepped those queries, and instead stressed the flaws are not present in Ivanti Neurons for MDM, Ivanti's own cloud-based offering.

"If a customer chooses to host their EPMM appliances in a cloud environment or other virtual machine infrastructure, this would be entirely chosen and managed by the customer," the spinner said. "To be clear: these vulnerabilities are not present in Ivanti Neurons for MDM."

Wiz researchers more or less concurred.

"We can confirm that the incident we found was on cloud hosted virtual appliances and not an on-prem device," Gili Tikochinski, malware researcher at Wiz, told The Register.

"This doesn't mean that the attacker explicitly targeted cloud environments because from an outside network perspective it is hard to differentiate the two deployment options but it does mean that both cloud and on-prem customers are at risk." ®