← CIO Briefings · Critical Impact ACTION REQUIRED

Critical Ivanti MDM Vulnerability Puts Every Managed Device at Risk

A critical unauthenticated remote code execution vulnerability in Ivanti Endpoint Manager Mobile (EPMM) is being actively exploited. CISA has mandated federal agencies patch by 11 April. A compromised MDM platform exposes the management layer for an organisation's entire mobile device fleet — including device certificates, VPN credentials, and configuration profiles pushed to thousands of employee devices.

4 min read
#NIST-CSF#ISO-27001

What Happened

Ivanti Endpoint Manager Mobile (EPMM) — the mobile device management platform used by enterprises and government agencies to manage employee smartphones, tablets, and laptops — contains two critical vulnerabilities that allow attackers to take full control of the MDM server without any username or password.

CISA added the second of the two vulnerabilities (CVE-2026-1340) to its Known Exploited Vulnerabilities catalogue on 8 April, confirming active exploitation is underway. US federal agencies were given until 11 April to patch — a four-day window that signals the severity of the threat. Exploitation has been ongoing since January 2026, meaning organisations running unpatched EPMM may already be compromised.

Ivanti has released patches covering all supported versions. Patching requires no downtime.

Business Impact

The business consequences of a compromised MDM platform are qualitatively different from a standard server breach — and significantly more severe.

What an attacker gains:

An MDM platform is the management control plane for every device enrolled in it. A threat actor who controls EPMM can:

  • See every enrolled device: employee smartphones, executive laptops, and tablets — their location, installed applications, and usage patterns
  • Access all credentials distributed through the platform: VPN certificates, Wi-Fi configurations, email account settings, and any credentials pushed via MDM profiles
  • Push new device profiles: potentially enrolling compromised configuration profiles on thousands of devices silently, without user interaction
  • Revoke certificates: disrupting access for legitimate users as a sabotage capability

This is not a single-server incident. A successful attack on EPMM extends the attacker’s reach to the entire mobile estate.

Financial exposure:

The combination of credential access and device visibility creates conditions for lateral movement into corporate networks, cloud environments, and sensitive data repositories. Historical MDM compromises have led to multi-month intrusions with data exfiltration costs running into millions. If the MDM platform distributes credentials for cloud services or production systems, the blast radius extends well beyond mobile devices.

Operational disruption risk:

An attacker with MDM control could simultaneously wipe or lock thousands of employee devices — a capability typically reserved for lost-device scenarios — creating significant operational disruption.

Regulatory Implications

Organisations subject to ISO 27001 and NIST CSF frameworks have explicit obligations around mobile device management security as part of asset and access management controls. A failure to patch a known-exploited critical vulnerability within a reasonable timeframe would represent a gap in documented security controls.

For organisations in regulated industries — financial services (PRA/FCA in the UK, SEC/FINRA in the US), healthcare (HIPAA), or critical infrastructure (NIS2 in the EU) — MDM compromise may trigger breach notification obligations if enrolled devices hold or access regulated data, and supervisory authorities may question the organisation’s security governance posture.

Board-Ready Summary

  • Ivanti’s mobile device management platform has a critical, actively exploited vulnerability. An attacker who compromises EPMM gains visibility and management control over every mobile device in the fleet — including VPN credentials and device certificates.
  • The risk extends beyond the MDM server itself. Credential and certificate access can enable broader network intrusion. This is a potential entry point to the entire corporate environment.
  • Patching is available, requires no downtime, and must be applied immediately. CISA has confirmed active exploitation — organisations that delay are accepting the risk of a breach that could affect thousands of managed devices simultaneously.
  1. Confirm whether your organisation runs Ivanti EPMM on-premises. Cloud-hosted Ivanti environments may be less exposed but should be verified with your vendor.
  2. Apply the Ivanti EPMM patch today for all supported version branches (12.x). Coordinate with your IT/MDM team — Ivanti states this requires no service downtime.
  3. Audit EPMM access logs for the past 90 days. Look for unusual HTTP requests, unexpected outbound connections from the appliance, and any anomalous device profile push activity.
  4. Rotate credentials distributed through EPMM as a precautionary measure: VPN certificates, Wi-Fi authentication credentials, and any service account tokens provisioned via MDM profiles.
  5. Restrict the EPMM admin interface to management networks; it should not be reachable directly from the internet.
  6. Brief your CISO and IT leadership today — if Ivanti EPMM is deployed and unpatched, this warrants an emergency change management exception to apply the fix outside the normal patching window.