Another Ivanti Zero-Day Under Active Exploitation
Ivanti customers are once again facing an actively exploited zero-day vulnerability, this time in Endpoint Manager Mobile (EPMM) — formerly known as MobileIron. Security researchers and incident responders have confirmed that threat actors are leveraging the defect to intrude into victim networks, continuing a pattern that has made Ivanti products one of the most persistently targeted network edge platforms in the industry.
The vulnerability was disclosed on May 7, 2026 and reported by CyberScoop. At time of publication, Ivanti had issued guidance to customers while working on a patch.
What Is Ivanti EPMM?
Ivanti Endpoint Manager Mobile (EPMM) is an enterprise mobile device management (MDM) and endpoint security platform used by organizations to manage and secure mobile devices, enforce policies, and distribute enterprise applications. EPMM is internet-facing by design — devices in the field need to reach the management server — making it a particularly attractive target for initial access.
The product is used by:
- Government agencies
- Healthcare organizations
- Financial institutions
- Critical infrastructure operators
Many of these customers have strict patch cycle constraints, creating windows of exposure when zero-days emerge between scheduled maintenance periods.
The Vulnerability
The specific technical details of the flaw have not been fully disclosed to prevent further exploitation while patches are developed. What is known:
- Product affected: Ivanti Endpoint Manager Mobile (EPMM)
- Exploitation status: Actively exploited in the wild at time of disclosure
- Attack surface: The flaw exists in a component exposed to the network, consistent with Ivanti's history of internet-facing product vulnerabilities
- Impact: Allows attackers to intrude into victim networks via the EPMM server as an entry point
Ivanti notified customers and published mitigations guidance. Customers should apply these immediately.
A Recurring Pattern
This latest zero-day continues a troubling track record for Ivanti products in recent years. The company's network edge products — including Connect Secure (VPN), Policy Secure, and now EPMM again — have been subject to repeated zero-day exploitation:
| Year | Product | Description |
|---|---|---|
| 2023 | EPMM (CVE-2023-35078) | Auth bypass exploited by nation-state actors |
| 2024 | Connect Secure | Mass exploitation by China-nexus actors |
| 2025 | Connect Secure | Continued zero-day exploitation |
| 2026 | EPMM | This incident — active exploitation confirmed |
The frequency of Ivanti zero-days has prompted CISA to issue multiple emergency directives, and some security practitioners have publicly called for federal agencies to reconsider their reliance on Ivanti products given the persistent exploitation pattern.
Who Is Targeting Ivanti?
Past Ivanti zero-days have been attributed to or associated with:
- Chinese state-sponsored threat actors (UNC5221, Volt Typhoon adjacents)
- Iranian-aligned groups
- Cybercrime operators seeking initial access for ransomware deployment
The internet-facing nature of EPMM and similar products makes them high-value for any threat actor seeking authenticated, persistent access to enterprise networks without having to phish individual users.
Immediate Actions for Ivanti EPMM Customers
Organizations running Ivanti EPMM should take the following steps immediately:
Patch and Mitigate
- Apply Ivanti's published mitigation steps immediately — do not wait for a full patch if mitigations are available.
- Restrict EPMM internet exposure where possible using firewall rules, allowlisted IP ranges, or placing the management interface behind a VPN or zero-trust gateway.
- Monitor Ivanti's security advisories for an emergency patch release and apply it as soon as it is available.
Detect and Hunt
- Review EPMM access logs for unusual authentication attempts, API calls, or connections from unexpected source IPs.
- Check for indicators of compromise (IoCs) published by Ivanti and third-party threat intelligence sources as they become available.
- Engage your SIEM to alert on anomalous EPMM activity patterns — particularly successful authentications followed by unusual administrative actions.
Contingency Planning
- Assess blast radius: Determine what EPMM can access in your environment (corporate email, applications, device configurations) and what an attacker with EPMM server access could reach.
- Verify MFA is enforced on all EPMM administrative accounts.
- Consider temporarily disabling internet-facing EPMM access if operational requirements allow, until a full patch is deployed.
CISA and Regulatory Implications
Given the history of Ivanti vulnerabilities appearing on CISA's Known Exploited Vulnerabilities (KEV) catalog, organizations should anticipate this flaw being added to the KEV list with a short federal remediation deadline. Federal agencies and critical infrastructure operators subject to CISA directives should prepare for expedited patching timelines.
The pattern of Ivanti zero-days has also drawn attention from regulators in the EU under NIS2 and similar frameworks — organizations with compliance obligations should document their response actions.
The Bigger Picture: Network Edge as the Perimeter
Ivanti's repeated zero-days reinforce a broader security principle: internet-facing network edge products are the new perimeter, and they are under constant offensive research by nation-state actors and cybercriminals alike. Products like MDM servers, VPN gateways, and remote access tools deserve the highest patching priority in any organization's vulnerability management program.
Organizations that have not already should consider:
- Continuous attack surface monitoring for all internet-facing services
- Zero-trust architecture to limit what an attacker gains even after compromising an edge device
- Vendor security track record as a factor in product selection and risk assessment