Overview
Ivanti has issued an urgent security advisory warning customers of a newly discovered high-severity remote code execution (RCE) vulnerability in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. The flaw is being actively exploited in zero-day attacks, with threat actors leveraging it before a patch was available.
This disclosure continues a troubling pattern for Ivanti products, which have been a repeated target for nation-state and sophisticated threat actors over the past two years.
Vulnerability Details
The vulnerability resides in Ivanti EPMM, a mobile device management (MDM) platform widely deployed by enterprises, government agencies, and healthcare organizations to manage corporate mobile fleets.
- Product: Ivanti Endpoint Manager Mobile (EPMM)
- Severity: High
- Type: Remote Code Execution (RCE)
- Exploitation Status: Actively exploited in the wild (zero-day)
- Patch Available: Yes — customers urged to apply immediately
The flaw allows a remote attacker to execute arbitrary code on the EPMM server without requiring prior authentication or with minimal privilege requirements, depending on the attack vector. Successful exploitation could give an attacker full control over the MDM platform, enabling them to:
- Push malicious configurations or profiles to managed devices
- Exfiltrate device inventories, certificates, and corporate credentials stored in EPMM
- Use the MDM platform as a pivot point to managed endpoints across the organization
- Disable security policies on managed mobile devices
Historical Context: Ivanti's Vulnerability Track Record
This latest disclosure is part of an alarming pattern. Ivanti products — particularly EPMM, Ivanti Connect Secure (VPN), and Ivanti Policy Secure — have been repeatedly targeted by sophisticated threat actors:
- 2023: CVE-2023-35078 and CVE-2023-35081 — EPMM authentication bypass and path traversal, exploited by Norwegian government attackers
- 2024: Multiple Ivanti Connect Secure zero-days exploited by Chinese APT groups (UNC5221, UNC5325)
- 2025–2026: Continued targeting of Ivanti infrastructure in government and critical sector environments
CISA has previously added Ivanti EPMM vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, and has issued emergency directives requiring federal agencies to patch within days of disclosure.
Who Is at Risk?
Organizations that are most exposed include:
- Government agencies using EPMM for mobile fleet management
- Healthcare providers with large mobile workforces and BYOD programs
- Financial institutions managing corporate mobile devices
- Any enterprise with EPMM instances exposed to the internet or reachable from untrusted networks
MDM platforms are particularly attractive targets because they sit at the center of an organization's mobile security posture and have privileged relationships with thousands of managed devices.
Recommended Actions
Ivanti has urged all customers to apply the patch immediately. The following steps should be taken:
1. Patch Immediately
- Apply the vendor-released patch as soon as possible. Log in to the Ivanti customer portal to obtain the update.
- CISA's KEV catalog deadlines (if applicable to your organization) impose mandatory patching timelines — treat this as a P1 incident regardless.
2. Check for Indicators of Compromise
Before patching, conduct a rapid threat hunt for signs of exploitation:
- Review EPMM server logs for unusual API calls, authentication anomalies, or unexpected administrative actions
- Look for unusual device enrollments or policy changes pushed to managed devices
- Check for newly created admin accounts or API tokens in the EPMM console
3. Restrict EPMM Access
- If EPMM is internet-facing, consider placing it behind a VPN or restricting access by IP allowlist until patched
- Disable any unused API endpoints or administrative interfaces
4. Rotate Credentials
- Rotate all service account credentials, API tokens, and certificates associated with EPMM
- Audit OAuth/SAML integrations for unauthorized access grants
5. Review Managed Device Configurations
- Audit recently pushed device profiles and configurations for unauthorized changes
- Verify that security policies (encryption, passcode, remote wipe) remain intact on managed devices
6. Enable Monitoring and Alerting
- Configure alerts for unusual EPMM administrative activity
- Forward EPMM logs to your SIEM for correlation with threat intelligence
CISA Advisory
CISA has flagged this vulnerability for federal agencies under its Binding Operational Directive. Federal civilian agencies are expected to apply the patch within the mandated timeframe. Organizations in critical infrastructure sectors should treat this with equivalent urgency.