CISA Issues Emergency Directive for Ivanti EPMM Zero-Day Being Exploited by Nation-State Actors

The Cybersecurity and Infrastructure Security Agency issued Emergency Directive 26-02 requiring all US federal civilian executive branch agencies to patch a critical vulnerability in Ivanti Endpoint Manager Mobile within 48 hours. The directive came after CISA confirmed active exploitation of the flaw by nation-state threat actors targeting government and critical infrastructure networks.

Ivanti EPMM, formerly known as MobileIron Core, is a mobile device management platform widely deployed across government agencies, healthcare networks, and enterprise environments to manage and secure mobile devices. The vulnerability allows an unauthenticated remote attacker to bypass authentication controls and execute arbitrary code on the server with elevated privileges. CVE details and CVSS scores are pending full disclosure, but the authentication bypass combined with remote code execution capability represents a critical severity chain.

This is not Ivanti's first rodeo with zero-days under active exploitation. The company's Connect Secure VPN and Policy Secure products were targeted in mass exploitation campaigns in early 2024, compromising thousands of organizations globally including multiple US government agencies. In that incident, CISA and FBI reported that even factory reset procedures failed to fully remediate compromised devices, underscoring the depth of access attackers can achieve. The pattern of repeated zero-days in Ivanti products has prompted significant scrutiny of the vendor's security development lifecycle.

Any organization running Ivanti EPMM is at risk, with government agencies, healthcare organizations, and enterprises with large mobile workforces representing the highest-value targets for the nation-state actors involved in this campaign.

Apply the Ivanti-released patch immediately. If patching cannot happen within 48 hours, disconnect EPMM instances from the internet and restrict access to trusted network segments only. Review EPMM access logs for anomalous authentication attempts, unusual API calls, and configuration changes made by service accounts. Ivanti has published indicators of compromise and a security advisory on their support portal.

The repeated targeting of Ivanti products by sophisticated threat actors underscores a broader principle: mobile device management platforms have become tier-one targets because compromising the MDM means compromising every device it manages.

Source: https://www.cisa.gov/news-events/directives/ed-26-02