China-Nexus Threat Actor Actively Exploiting Ivanti Endpoint Manager Mobile (CVE-2025-4428) Vulnerability blog.eclecticiq.com/china-nex…

On Thursday, May 15, 2025, Ivanti disclosed two critical vulnerabilities - CVE-2025-4427 and CVE-2025-4428 - affecting Ivanti Endpoint Manager Mobile (EPMM) version 12.5.0.0 and earlier. [1] These vulnerabilities can be chained to achieve unauthenticated remote code execution (RCE) on exposed systems.

EclecticIQ analysts observed active exploitation of this vulnerability chain in the wild, targeting internet-facing Ivanti EPMM deployments. The earliest observed exploitation activity dates back to May 15, 2025. Targeted organizations span critical sectors including healthcare, telecommunications, aviation, municipal government, finance, and defense across Europe, North America, and the Asia-Pacific region.

Based on the tactics, techniques, and procedures (TTPs) observed, EclecticIQ attributes this activity with high confidence to UNC5221, a China-nexus espionage group previously linked to zero-day exploitation of edge network appliances since at least 2023.

UNC5221 demonstrates a deep understanding of EPMM’s internal architecture, repurposing legitimate system components for covert data exfiltration. This includes the extraction of large volumes of personally identifiable information (PII), authentication credentials, and other sensitive data used for lateral movement within compromised environments.