<p>In this episode of Cyber Insiders, Cian Heasley, Threat Lead at Adarma, walks us through our Incident Response team&#39;s investigation into the exploitation of Ivanti Endpoint Manager Mobile (EPMM) by UNC5221, a threat group linked to the Chinese state. </p><p>Cian breaks down how the attackers chained CVE-2025-4427 and CVE-2025-4428 to gain unauthenticated remote code execution, what tools and techniques they used, and explains why this campaign shows signs of strategic pre-positioning. </p>

CYBER INSIDERS

Adarma

UNC5221 Exploits Ivanti EPMM: What Adarma’s Incident Responders Have Uncovered

JUN 6, 202515 MIN
CYBER INSIDERS

UNC5221 Exploits Ivanti EPMM: What Adarma’s Incident Responders Have Uncovered

JUN 6, 202515 MIN

Description

<p>In this episode of Cyber Insiders, Cian Heasley, Threat Lead at Adarma, walks us through our Incident Response team&#39;s investigation into the exploitation of Ivanti Endpoint Manager Mobile (EPMM) by UNC5221, a threat group linked to the Chinese state. </p><p>Cian breaks down how the attackers chained CVE-2025-4427 and CVE-2025-4428 to gain unauthenticated remote code execution, what tools and techniques they used, and explains why this campaign shows signs of strategic pre-positioning. </p>