Skip to content
Threat Feed
critical advisory

Multiple Vulnerabilities in Ivanti Endpoint Manager Mobile

Multiple vulnerabilities in Ivanti Endpoint Manager Mobile allow an attacker to gain administrator privileges, execute arbitrary code with administrator privileges, bypass security measures, manipulate data, and disclose sensitive information.

Multiple vulnerabilities exist within Ivanti Endpoint Manager Mobile (EPMM). An attacker exploiting these vulnerabilities could potentially gain administrator privileges, allowing them to execute arbitrary code with elevated permissions. This access could be leveraged to bypass security measures, manipulate sensitive data, and expose confidential information. The vulnerabilities collectively pose a significant risk, potentially enabling a wide range of malicious activities on affected systems. Given the potential for complete system compromise, organizations using Ivanti EPMM should prioritize immediate investigation and remediation.

Attack Chain

  1. The attacker identifies a vulnerable Ivanti EPMM instance accessible over the network.
  2. The attacker exploits a vulnerability to bypass authentication and gain unauthorized access to the EPMM management interface.
  3. The attacker leverages a privilege escalation vulnerability to obtain administrator-level privileges within the EPMM system.
  4. The attacker uses their elevated privileges to inject malicious code into a managed device configuration profile.
  5. The compromised configuration profile is pushed to managed mobile devices.
  6. On the managed devices, the injected malicious code executes with administrator privileges.
  7. The attacker uses the compromised devices to gather sensitive data, such as credentials and network configurations.
  8. The attacker exfiltrates the stolen data to an external server controlled by the attacker.

Impact

Successful exploitation of these vulnerabilities could lead to a complete compromise of Ivanti Endpoint Manager Mobile and all managed devices. This could result in significant data breaches, financial losses, and reputational damage. The exact number of victims is currently unknown; however, organizations across various sectors that rely on Ivanti EPMM for mobile device management are potentially at risk.

Recommendation

  • Investigate all Ivanti Endpoint Manager Mobile deployments for signs of compromise.
  • Monitor web server logs for suspicious activity related to EPMM endpoints, using a webserver category rule.
  • Implement network monitoring to detect unauthorized data exfiltration from managed devices, leveraging a network_connection category rule.
  • Apply any available patches or workarounds provided by Ivanti to address the identified vulnerabilities.

Detection coverage 2

Detect Suspicious POST Requests to EPMM Management Interface

medium

Detects suspicious POST requests to the Ivanti EPMM management interface, potentially indicating unauthorized access attempts.

sigma tactics: initial_access techniques: T1190 sources: webserver

Detect Unauthorized Data Exfiltration from Managed Devices

high

Detects network connections from managed devices to unusual external IP addresses or domains, potentially indicating data exfiltration.

sigma tactics: exfiltration techniques: T1041 sources: network_connection, windows

Detection queries are available on the platform. Get full rules →