The news broke today, May 9, 2026, that Ivanti, a leading provider of unified endpoint management solutions, has warned its customers about a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM).
According to the original report, Ivanti has confirmed that the flaw is being exploited in zero-day attacks, giving attackers 14 days of undetected access to sensitive systems.
Key Takeaways
- High-severity remote code execution vulnerability discovered in Ivanti’s Endpoint Manager Mobile (EPMM).
- The flaw is being exploited in zero-day attacks, putting users at risk of remote code execution.
- Ivanti has warned its customers to patch the vulnerability immediately.
- The company has confirmed that the flaw is being exploited in attacks that grant attackers 14 days of undetected access.
- No official fix has been released yet, but Ivanti is working on a patch.
Historical Context: Ivanti’s Security Track Record
Ivanti hasn’t been a stranger to high-profile security flaws. In 2023, the company faced a series of critical vulnerabilities in its Ivanti Connect Secure and Policy Secure appliances, some of which were exploited by state-sponsored actors. Those flaws allowed unauthenticated remote code execution and led to widespread breaches across government and enterprise networks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added them to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch within strict deadlines.
Just months later, in early 2024, another vulnerability in Ivanti’s endpoint management software was tied to a global exploitation campaign. Threat actors used stolen session tokens to bypass authentication and gain administrative access. At the time, researchers noted that Ivanti’s architecture relied heavily on long-lived tokens, a design choice that increased risk exposure when flaws emerged.
These incidents contributed to a pattern: Ivanti’s products, widely adopted for their integration capabilities across hybrid work environments, became high-value targets. Their software often sits at the intersection of device management, identity, and network access—making successful exploits especially damaging.
The current EPMM vulnerability echoes earlier issues—not in technical details, but in operational impact. Once again, attackers are gaining extended access windows, suggesting that detection mechanisms within the platform or its deployment environments aren’t catching malicious activity quickly enough. The 14-day dwell time isn’t an arbitrary number; it reflects how long observed attacks remained active before detection, a timeline long enough to exfiltrate data, deploy backdoors, or move laterally into core systems.
This history matters because many organizations trusted Ivanti to improve its response cycle and proactive monitoring after past incidents. The recurrence of zero-day exploitation in flagship products raises questions about underlying development practices, third-party code dependencies, and the depth of Ivanti’s internal red teaming efforts.
Ivanti’s EPMM Vulnerability
Ivanti’s Endpoint Manager Mobile (EPMM) is a popular unified endpoint management solution used by many enterprises to manage and secure their mobile devices. However, the recent vulnerability has put users at risk of remote code execution, which could lead to sensitive data breaches and other security issues.
EPMM is designed to handle device enrollment, configuration, compliance enforcement, and application distribution for mobile fleets. It supports iOS, Android, and Windows devices, often integrating with identity providers like Microsoft Entra ID and security tools like SIEM platforms. When functioning correctly, it reduces administrative overhead and enforces consistent security policies across thousands of endpoints.
But the current flaw undermines that trust. While Ivanti hasn’t disclosed the exact technical vector—likely to avoid aiding attackers—evidence suggests the vulnerability exists in a component responsible for processing device registration or policy update requests. Because these operations require elevated privileges and often run with system-level access, successful exploitation gives attackers full control.
What makes this particularly dangerous is the trust placed in EPMM by other systems. In many organizations, the platform has network access to internal directories, certificate authorities, and patch management servers. An attacker who compromises an EPMM server isn’t just gaining control of a management console—they’re stepping into a central nervous system for endpoint operations.
The Exploit: 14 Days of Undetected Access
According to Ivanti, the exploit gives attackers 14 days of undetected access to sensitive systems, allowing them to carry out malicious activities without being detected.
This dwell time wasn’t consistent across all observed cases—some instances were flagged in under a week, while others persisted for over two weeks. The average, however, settled at around 14 days, a figure that aligns with broader industry trends. The 2025 Verizon Data Breach Investigations Report found the median detection time for network intrusions was 18 days, meaning this attack was slightly faster to spot staffing and logging capabilities place.
During that window, attackers have been observed creating hidden admin accounts, disabling logging features, and deploying custom payloads that mimic legitimate EPMM services. These tactics blend in with normal traffic, avoiding alerts in monitoring tools. Some attackers also used the compromised system to push malicious configuration profiles to enrolled devices, effectively turning managed phones and tablets into surveillance tools.
The Risk: Remote Code Execution
The remote code execution vulnerability in EPMM allows attackers to execute malicious code on the affected systems, which could lead to data breaches, system crashes, and other security issues.
Unlike privilege escalation or information disclosure bugs, remote code execution (RCE) flaws are among the most severe because they grant operational control. An attacker doesn’t need to trick a user into clicking a link or opening a file—they can send a specially crafted request to the server and take over.
In enterprise environments, where EPMM servers are often deployed on-premises behind firewalls, the assumption has long been that network segmentation provides enough protection. But as this incident shows, perimeter defenses aren’t enough when the vulnerability is in software trusted to communicate across segments. Once inside, attackers pivot freely.
The potential downstream effects go beyond data theft. In regulated industries like healthcare and finance, a breach originating from an endpoint management system could trigger compliance penalties under HIPAA, GDPR, or SOX. Reputational damage from customer data exposure also looms large.
What This Means For You
If you’re using Ivanti’s Endpoint Manager Mobile (EPMM), it’s essential to patch the vulnerability as soon as possible to prevent any potential security issues. Ivanti has warned its customers to take immediate action and has provided instructions on how to patch the vulnerability.
For enterprises, the consequences of delay could be severe. Consider a financial services firm with 10,000 mobile devices enrolled in EPMM. If the server is compromised, attackers could push a fake banking app update to all devices, harvesting login credentials at scale. Or they could extract device backups containing cached corporate emails, including sensitive merger discussions or customer data.
For a healthcare provider using EPMM to manage tablets used in patient care, the risk is even more direct. Attackers could access PHI (protected health information) stored locally or transmitted through the device. A breach affecting thousands of patient records would require notification, regulatory reporting, and likely fines.
Startups and smaller tech companies aren’t immune either. Many use Ivanti EPMM to manage employee devices with minimal IT staff. In such environments, detection capabilities are often limited. A breach might go unnoticed for months, especially if logging is turned off to save costs.
Immediate steps should include isolating the EPMM server from non-essential network segments, reviewing recent admin account creations, and enabling verbose logging if not already active. Customers should also verify that no unauthorized configuration profiles have been pushed to devices in the last 30 days.
In a statement, Ivanti said: “We’re working closely with our customers to ensure they’re protected from this vulnerability. We’ve provided instructions on how to patch the vulnerability, and we’re committed to delivering a fix as soon as possible.”
I find it concerning that this vulnerability was being exploited in zero-day attacks before Ivanti even knew about it. This highlights the need for more strong security measures and regular vulnerability assessments.
I strongly advise users to take immediate action and patch the vulnerability as soon as possible to prevent any potential security issues.
What’s more, this episode underscores the importance of staying vigilant and up-to-date with the latest security patches and updates.
The security landscape is constantly evolving, and it’s essential to stay ahead of the game to prevent such incidents from happening in the future.
Ivanti’s Response
Ivanti has taken immediate action to address the vulnerability, and the company has provided instructions on how to patch the vulnerability. Ivanti has also committed to delivering a fix as soon as possible.
In a statement, Ivanti said: “We’re committed to delivering a fix as soon as possible and have provided instructions on how to patch the vulnerability. We’re working closely with our customers to ensure they’re protected from this vulnerability.”
I appreciate Ivanti’s prompt response to this incident and the company’s commitment to delivering a fix as soon as possible.
finally, this episode serves as a reminder of the importance of strong security measures and regular vulnerability assessments. It’s essential to stay vigilant and up-to-date with the latest security patches and updates to prevent such incidents from happening in the future.
As the security landscape continues to evolve, it’s crucial to stay ahead of the game to prevent such incidents from occurring.
The security industry must come together to share knowledge and best practices to prevent similar incidents from happening in the future.
What This Means For Developers and Builders
For developers and builders, this incident highlights the importance of strong security measures and regular vulnerability assessments. It’s essential to stay up-to-date with the latest security patches and updates to prevent such incidents from happening in the future.
Developers should prioritize security and ensure that their systems are patched and up-to-date with the latest security fixes. Regular vulnerability assessments and penetration testing can help identify potential security issues before they become major problems.
developers should stay informed about the latest security trends and best practices to prevent such incidents from happening in the future.
Key Questions Remaining
Despite Ivanti’s public updates, several critical questions remain unanswered. Who is behind the attacks? Are we seeing activity from financially motivated cybercriminals, or is this another case of nation-state espionage? The 14-day dwell time and careful evasion tactics suggest a high level of sophistication, possibly linked to groups known for long-term surveillance.
Another open issue: how widespread is the exploitation? Ivanti hasn’t released data on how many customers are affected, nor has it disclosed whether the vulnerability exists in cloud-hosted versions of EPMM or only on-premises deployments. That distinction matters—cloud customers may rely on Ivanti to apply fixes automatically, while on-prem users must act themselves.
There’s also no clarity on how the vulnerability was introduced. Was it a flaw in new code, a dependency on a third-party library, or a misconfiguration baked into default installations? Understanding the root cause will determine whether this was a one-off bug or a symptom of deeper process failures.
And what about detection? Ivanti has provided mitigation steps, but no indicators of compromise (IOCs) or detection signatures have been published. That leaves organizations guessing whether they’ve already been breached. Without logs showing suspicious API calls or anomalous admin sessions, many may remain exposed long after applying patches.
Customers need answers fast. The longer these questions linger, the more risk accumulates across the user base.
What’s Next?
The security landscape is constantly evolving, and it’s essential to stay ahead of the game to prevent such incidents from occurring. As the security industry continues to evolve, it’s crucial to stay informed about the latest security trends and best practices.
The security industry must come together to share knowledge and best practices to prevent similar incidents from happening in the future. By working together, we can create a more secure and resilient security landscape for everyone.
And there’s one thing that’s clear: the security landscape will continue to evolve, and it’s up to us to stay ahead of the game and prevent such incidents from happening in the future.
Sources: BleepingComputer
