UNC5221 Exploits Ivanti EPMM: What Adarma’s Incident Responders Have Uncovered

A recently patched pair of vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) — CVE-2025-4427 and CVE-2025-4428 — have been exploited in the wild by UNC5221, a threat group believed to be linked to the Chinese state. When chained together, these vulnerabilities enable unauthenticated remote code execution on affected appliances. 

In this episode of Cyber Insiders, Cian Heasley, Threat Lead at Adarma, shares what our Incident Response team uncovered during a recent investigation into this exploitation campaign. He outlines the attack chain, the techniques used by the threat actor, and the immediate implications for defenders. 

Cian provides a detailed breakdown of how UNC5221 gained access to Ivanti EPMM devices, including the chaining of vulnerabilities to bypass authentication and execute commands. He also highlights the group’s use of base64 obfuscation, credential harvesting, and the attempted deployment of KrustyLoader malware configured with a Sliver C2 agent. 

The episode also examines how this activity aligns with UNC5221’s previous campaigns and what their persistent targeting of Ivanti systems suggests about their strategic objectives, particularly their interest in edge infrastructure used by sectors like Critical National Infrastructure (CNI). 

You’ll also learn: 

• Why perimeter devices are high-value targets for espionage-focused threat groups 

• The parallels between UNC5221 and ransomware groups when it comes to exploiting edge technology 

• How quickly exploitation begins once vulnerabilities are disclosed 

• What CNI and financial services organisations need to prioritise right now 

• The key internal capabilities needed to respond effectively to attacks like this 

To hear how Adarma’s team investigated this threat and what practical steps organisations should take, listen to the full episode now.