Two chained zero-day vulnerabilities (CVE-2026-XXXX and CVE-2026-YYYY) have been discovered in Ivanti Endpoint Manager Mobile (EPMM), enabling unauthenticated attackers to execute remote code on exposed Mobile Device Management (MDM) servers.
These vulnerabilities have been actively exploited in the wild, leading to the deployment of web shells, cryptominers, and persistent backdoors on compromised corporate networks. Because MDM servers have high-level privileges to manage devices across an organization, compromising the EPMM server can give attackers a powerful foothold into the enterprise.
Organizations running affected versions of Ivanti EPMM instances exposed to the internet are at immediate risk, and rapid remediation is necessary.
How to check if you’re affected
- Check your EPMM Version: Determine the version of Ivanti Endpoint Manager Mobile (formerly MobileIron Core) you are currently running.
- Review Logs for Indicators of Compromise (IoCs): Examine your server logs for unexpected web shell deployments, unauthorized account creations, or unusual outbound traffic indicative of cryptomining.
- Apply the Patch: Ensure you apply the latest security patches provided by Ivanti immediately.
- Restrict Access: If immediate patching is not possible, restrict internet access to the EPMM admin portal.