Chinese state-backed hackers are exploiting two new security flaws in Ivanti’s Endpoint Manager Mobile (EPMM) to target high-value industries across Europe, North America, and Asia-Pacific.
The attackers, tied to the threat group UNC5221, are using two medium-severity bugs—CVE-2025-4427 and CVE-2025-4428. These flaws let them bypass login checks and run code remotely. When chained together, they give hackers full control over exposed systems.
Ivanti released patches on May 13. But only days later, working exploit code was shared online. Threat actors quickly moved to attack unpatched systems. Security firms Wiz and EclecticIQ both confirmed active exploitation.
EclecticIQ links these attacks to UNC5221, a Chinese espionage group. They’ve targeted zero-day flaws since 2023 and are known for stealing sensitive data. This includes credentials, personal info, and internal documents.
Since May 15, the hackers have hit EPMM servers facing the internet. Targets include firms in aviation, defense, finance, healthcare, and telecom. A German telecom giant, a US gun manufacturer, a cybersecurity company, and a South Korean bank were all hit.
EPMM is key software in many companies. It manages thousands of mobile devices. A breach could give attackers access to all connected devices. That’s what makes this so serious.
To stay inside networks, the group uses FRP (Fast Reverse Proxy). This open-source tool creates a hidden tunnel back to their servers. They also use KrustyLoader to drop the Sliver backdoor, giving them full remote control.
Investigators also saw the group run commands to explore systems and hide their tracks. In some cases, they likely sent stolen data through fake web traffic before deleting logs.
UNC5221 has done this before. They’ve used bugs in Ivanti, Palo Alto Networks, and SAP to break into other networks and deploy similar malware.
EclecticIQ says it’s highly confident this is UNC5221. The same tools, servers, and methods have shown up in their past attacks. This fits a broader pattern of Chinese cyber spying against Western infrastructure.
