A suspected Chinese government spy group is behind the rash of attacks that exploit two Ivanti bugs that can be chained together to achieve unauthenticated remote code execution (RCE), according to analysts at threat intelligence outfit EclecticIQ.
The exploits began on May 15, we’re told, and targeted organizations in the healthcare, telecommunications, aviation, municipal government, finance, and defense sectors. Attackers went after entities across Europe, North America, and Asia-Pacific.
Targets include UK local government authorities and National Health Service institutions, the “largest” German telecommunications provider and its managed IT service provider subsidiaries, and an Irish aerospace leasing company, North American healthcare companies, and a US transport infrastructure entity that manages airport systems in Houston, we understand.
The suspected spies also went after a multi-national bank operating in South Korea, and a Japanese automotive parts supplier known for advanced electronics and powertrain systems, we’re told.
Ivanti did not immediately respond to The Register‘s request for comment.
Fourth time in three years
“Based on the tactics, techniques, and procedures (TTPs) observed, EclecticIQ attributes this activity with high confidence to UNC5221, a China-nexus espionage group previously linked to zero-day exploitation of edge network appliances since at least 2023,” wrote Arda Büyükkaya, a security researcher at EclecticIQ.
EclecticIQ attributes this activity with high confidence to UNC5221, a China-nexus espionage group previously linked to zero-day exploitation of edge network appliances since at least 2023.
This marks the fourth time in three years that this same group has pwned buggy Ivanti products, which is not a good look given Ivanti sells infosec products.
The newest Ivanti security flaws under exploit are CVE-2025-4427, an authenticated bypass vulnerability, and CVE-2025-4428, a post-authentication remote-code execution (RCE) flaw. Together they allow a miscreant to run malware on a vulnerable deployment and hijack it.
Both holes affect Ivanti Endpoint Manager Mobile (EPMM), software used to manage and secure company-issued devices and applications. The software can be run on-premises and also be deployed in the cloud using customer-managed resources.
Ivanti disclosed and patched the bugs last week, warning in a security alert it was “aware of a very limited number of customers” whose products had been exploited.
Earlier this week, soon-to-be-Google-owned security firm Wiz warned exploitation now extends into Ivanti customers’ self-managed cloud environments. “We can confirm that the incident we found was on cloud hosted virtual appliances and not an on-prem device,” Gili Tikochinski, malware researcher at Wiz, told The Register on Wednesday.
That assessment echoes EclecticIQ’s analysis. The Dutch threat intel firm told us it saw UNC5221 deploy the KrustyLoader backdoor on compromised Ivanti EPMM systems from a compromised AWS S3 bucket and then used the malware to deliver additional payloads including the Sliver remote-control suite.
The snoops also specifically targeted the so-called mifs database present in some Ivanti devices, which Büyükkaya said is a “primary target for espionage and data exfiltration operations by China-nexus actors,” because it “gives threat actors visibility into managed mobile devices (including IMEI, phone numbers, location, SIM details etc.), LDAP users, and Office 365 refresh and access tokens.”
Anther piece of evidence tying this attack to China is the alleged attackers’ use of the IP address 27.25.148[.]183, which is hosted in China, and was previously used in the SAP NetWeaver attacks that the security shop attributed to UNC5221 in early May.
Probe pop preceded pwnage?
These new compromises follow an April warning from threat intelligence firm GreyNoise, which sounded the alarm on a surge of Ivanti endpoint scans. The number of IP addresses scanning for the vendor’s Connect Secure and Pulse Secure systems jumped 800 percent in mid-April, according to GreyNoise analysts, who noted that this steep uptick in scans usually precedes exploitation and public disclosure of new vulnerabilities.
While these most recent attacks aren’t due to flaws in Connect Secure and Pulse Secure like the previous three, near-constant probing of Ivanti products by the same Chinese crew since 2023 suggests quality control is an issue for the vendor.
Ivanti CEO Jeff Abbott called a 2024 Connect Secure security SNAFU “humbling,” and committed to overhauling his company’s security practices. ®