Ivanti EPMM Zero-Day Attack Campaign Targets Enterprise Mobile Management
Ivanti disclosed on May 7, 2026, that attackers are actively exploiting CVE-2024-29847, a critical remote code execution vulnerability in its Endpoint Manager Mobile (EPMM) platform. The company issued emergency security advisories warning that the flaw allows unauthenticated attackers to execute arbitrary code on vulnerable EPMM servers through specially crafted network requests.
The vulnerability affects the core authentication mechanism in EPMM's web interface, where improper input validation allows attackers to bypass security controls and gain administrative access. Security researchers discovered the flaw during routine penetration testing of enterprise mobile device management solutions, but threat actors had already begun exploiting it in targeted campaigns against organizations managing large mobile device fleets.
Ivanti's security team confirmed that the exploitation attempts began in late April 2026, with attackers specifically targeting healthcare, financial services, and government organizations that rely heavily on mobile device management for remote workforce operations. The attack chain involves sending malformed HTTP requests to the EPMM server's authentication endpoint, triggering a buffer overflow condition that allows code injection. Once successful, attackers gain full administrative privileges over the EPMM instance, including access to all managed mobile devices, corporate applications, and sensitive configuration data.
The CISA Known Exploited Vulnerabilities catalog added CVE-2024-29847 within hours of Ivanti's disclosure, emphasizing the active threat landscape surrounding this vulnerability. Intelligence reports indicate that multiple threat groups are now incorporating this exploit into their attack frameworks, with some campaigns showing characteristics consistent with advanced persistent threat (APT) operations targeting intellectual property and sensitive corporate data accessible through compromised mobile management platforms.
Critical Impact Scope for EPMM Deployments Across Enterprise Networks
The vulnerability impacts all versions of Ivanti Endpoint Manager Mobile prior to the emergency patches released May 7, 2026. Specifically affected are EPMM versions 11.4 (all builds prior to 11.4.14.0), version 11.10 (all builds prior to 11.10.16.0), and version 12.0 (all builds prior to 12.0.5.0). Organizations running these versions with internet-facing EPMM servers face immediate risk of compromise, as the vulnerability requires no authentication and can be exploited remotely over standard HTTPS connections.
The attack vector particularly threatens large enterprises and government agencies that deploy EPMM to manage thousands of mobile devices across distributed workforces. Healthcare organizations using EPMM to secure medical devices and patient data access systems face especially severe risk, as successful exploitation could lead to HIPAA violations and patient safety concerns. Financial institutions managing mobile banking applications and trading platforms through EPMM also represent high-value targets for attackers seeking to access financial systems and customer data.
Network configurations that expose EPMM administrative interfaces to the internet without additional network segmentation amplify the risk significantly. Organizations using default EPMM configurations, particularly those that haven't implemented multi-factor authentication for administrative access or network-level access controls, face the highest probability of successful exploitation. The vulnerability's CVSS score of 9.1 reflects its network-based attack vector, the lack of required user interaction, and the complete system compromise possible upon successful exploitation.
Emergency Patching and Immediate Mitigation Steps for EPMM Administrators
Ivanti released emergency patches for all affected EPMM versions on May 7, 2026, available through the company's customer portal and automatic update mechanisms. Administrators must immediately upgrade to EPMM 11.4.14.0, 11.10.16.0, or 12.0.5.0 depending on their current deployment version. The patches address the underlying input validation flaw in the authentication subsystem and implement additional security controls to prevent similar exploitation techniques.
Organizations unable to apply patches immediately should implement network-level mitigations to reduce exposure risk. This includes restricting EPMM server access to trusted IP ranges through firewall rules, implementing web application firewall (WAF) protection with rules specifically designed to block malformed authentication requests, and enabling comprehensive logging for all EPMM administrative activities. Network administrators should also consider temporarily disabling internet-facing EPMM access and requiring VPN connections for all administrative operations until patches can be deployed.
Detection guidance includes monitoring EPMM server logs for unusual authentication patterns, particularly failed login attempts followed by successful administrative access from the same source IP. Security teams should examine network traffic for HTTP requests containing unusual character encodings or oversized parameter values targeting EPMM authentication endpoints. The vulnerability leaves specific indicators in system logs, including process creation events with elevated privileges spawned from the EPMM service context and network connections initiated by EPMM processes to external IP addresses not associated with normal mobile device management operations.
Post-compromise recovery requires complete EPMM server rebuilding from known-good backups, thorough analysis of all managed mobile devices for signs of unauthorized configuration changes or malicious application installations, and comprehensive audit of all administrative actions performed during the potential compromise window. Organizations should also review and rotate all certificates, API keys, and administrative credentials associated with their EPMM deployment as part of the recovery process.
