BUSHWALK

BUSHWALKBUSHWALK

Description

A mitigation bypass technique was recently identified that led to the deployment of a custom webshell tracked as BUSHWALK. Successful exploitation would bypass the initial mitigation provided by Ivanti on Jan. 10, 2024. At this time, Mandiant assesses the mitigation bypass activity is highly targeted, limited, and is distinct from the post-advisory mass exploitation activity. BUSHWALK is written in Perl and is embedded into a legitimate CS file, querymanifest.cgi. BUSHWALK provides a threat actor the ability to execute arbitrary commands or write files to a server. BUSHWALK executes its malicious Perl function, validateVersion, if the web request platform parameter is SafariiOS. It uses Base64 and RC4 to decode and decrypt the threat actor’s payload in the web request’s command parameter.

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-9713
CVE
Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability
CVE
Ivanti Endpoint Manager Mobile (EPMM) Path Traversal Vulnerability
CVE
Ivanti Connect Secure and Policy Secure Command Injection Vulnerability
Software
ROOTROT
CVE
Ivanti Endpoint Manager (EPM) Absolute Path Traversal Vulnerability
Sourced from MITRE ATT&CK Enterprise . Curated by Adam Lundqvist, SQUR.