Critical Security Alert: New Ivanti EPMM Vulnerability Chain Allows Complete System Takeover
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding a newly discovered vulnerability chain affecting Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This exploit allows unauthenticated attackers to gain remote access to systems, deploy malicious backdoors, and potentially compromise an entire network.
This security flaw is particularly dangerous because it chains together two vulnerabilities, enabling attackers to bypass security measures and write malicious files directly onto the server. If your organization uses Ivanti EPMM to manage mobile devices, immediate action is required to prevent a significant breach.
How the Attack Works
The exploit is a two-stage process that gives attackers a powerful foothold in a target’s network.
First, attackers leverage CVE-2023-35082, a path traversal vulnerability that allows a remote, unauthenticated actor to bypass access control gateways. This initial step effectively opens the door to the system, letting the attacker move deeper without needing valid credentials.
Once inside, the attacker exploits a second vulnerability that permits them to write arbitrary files. This allows them to plant malicious code, such as a web shell or other types of backdoors, onto the compromised server. This backdoor, often referred to as a “malicious listener,” allows the attacker to gain persistent access and execute commands on the system at will.
The ultimate goal of this attack is to establish long-term control over the Ivanti EPMM server. From this position, cybercriminals can:
- Steal personally identifiable information (PII) from managed mobile devices.
- Modify security configurations to weaken defenses further.
- Propagate malware across the corporate network.
- Gain complete administrative control over the server and connected devices.
This vulnerability affects all supported versions of Ivanti EPMM (11.10, 11.9, and 11.8) and older, unsupported releases.
Immediate Steps to Protect Your Systems
Due to the severity of this exploit chain, administrators must act swiftly to secure their environments. Simply patching is not enough; you must also investigate for signs of an existing compromise.
1. Apply Patches Immediately
Ivanti has released security updates to address this vulnerability. It is critical to upgrade your EPMM instance to a patched version without delay. Delaying this update leaves your organization exposed to active exploitation.
2. Hunt for Signs of Compromise
Because this vulnerability can be exploited without leaving obvious traces, a thorough investigation is necessary. CISA recommends administrators run Ivanti’s internal integrity checker tool to look for any unauthorized modifications to the system. You should also manually inspect server files and logs for:
- Suspicious or unknown files, particularly recently created JSP files in web application directories.
- Unusual network traffic originating from the EPMM server.
- Unexpected modifications to system configurations or user accounts.
3. Monitor Your Network Continuously
After patching, continue to monitor your systems closely. Keep a close watch on network logs, access logs, and system performance for any anomalies that could indicate a breach. Assume that your system may have been compromised before the patch was applied and maintain a heightened state of vigilance.
This vulnerability underscores the growing trend of attackers targeting edge devices and infrastructure management tools. These platforms are high-value targets because they provide broad access to an organization’s network and sensitive data. Proactive patch management and continuous security monitoring are essential defenses against these sophisticated threats.
Source: https://go.theregister.com/feed/www.theregister.com/2025/09/19/cisa_ivanti_bugs_exploited/
