The cybersecurity and mobile enterprise management company Ivanti confirmed that a new critical vulnerability in its Endpoint Manager Mobile (EPMM) platform is being actively exploited in zero-day attacks before many organizations have had a chance to apply patches. The warning reignited alarms about the security of MDM (Mobile Device Management) platforms, widely used by companies and governments to manage corporate mobile devices.
The vulnerability specifically affects local (on-premise) instances of Ivanti EPMM and could allow remote attackers to execute arbitrary code without prior authentication, completely compromising the affected server. According to Ivanti, the flaw is already being used in real attacks targeting select organizations.
What is Ivanti EPMM and why does it matter- managing corporate smartphones,
- applying security policies,
- controlling enterprise applications,
- managing remote access,
- protecting Android and iOS devices.
Because these platforms possess high privileges within the corporate infrastructure, compromising an EPMM server can give an attacker critical access to devices, users, and internal resources.
Technical details of the vulnerabilityIvanti indicated that the exploitation involves a chain of vulnerabilities that allows:
- unauthenticated remote access,
- bypass of security mechanisms,
- remote code execution (RCE),
- complete system takeover.
The company did not immediately publish all technical details to prevent facilitating massive attacks before organizations apply mitigations. However, it confirmed that external researchers and customers reported malicious activity in real environments. (bleepingcomputer.com)
A concerning pattern at IvantiOver recent years, Ivanti has become a frequent target for advanced threat groups due to the high exposure of its VPN, MDM, and enterprise gateway solutions.
Various recent incidents showed campaigns where actors linked to espionage and cybercrime exploited zero-day vulnerabilities in Ivanti products before official patch publication.
This new incident once again highlights:
- the speed of response to critical vulnerabilities,
- the complexity of keeping enterprise appliances secure,
- the importance of continuous monitoring on systems exposed to the internet.
A successful exploit could allow for:
- credential theft,
- access to corporate mobile devices,
- lateral movement within the network,
- malware installation,
- corporate espionage,
- ransomware deployment.
In organizations using integrated authentication or centralized administration, the impact could quickly extend to multiple internal systems.
Urgent recommendationsIvanti recommended immediately applying available security updates and reviewing indicators of compromise published by the company.
Experts also suggest:
- restricting external access to EPMM servers,
- enabling advanced log monitoring,
- reviewing suspicious administrative activity,
- segmenting MDM servers from the rest of the network,
- implementing MFA for administrative access,
- performing forensic analysis if there are signs of compromise.
Remote administration and enterprise mobility solutions have become priority targets for attackers due to their privileged access to corporate devices and credentials.
The Ivanti case once again demonstrates how a single vulnerability in critical infrastructure can quickly become an entry point for sophisticated, large-scale attacks.
Original Source:BleepingComputer – Ivanti warns of new EPMM flaw exploited in zero-day attacks