Patch, but verify first: Unit 42 directed organizations to Ivanti’s security advisory for remediation guidance, which recommends applying version-specific RPM patches for EPMM 12.x branches that require no appliance downtime. Ivanti cautioned, however, that the patch does not survive a version upgrade and must be reinstalled if the software is updated. “The permanent fix for this vulnerability will be included in the next product release: 12.8.0.0 expected in Q1 2026.’Ivanti also warned in its advisory that while its Sentry mobile traffic gateway is not directly vulnerable, EPMM holds command execution permissions on connected Sentry systems.”If an EPMM deployment has been compromised, the attackers might have compromised Ivanti Sentry as well,” Ivanti warned.For organizations that suspect compromise, the Ivanti advisory suggested against attempting to clean affected systems. Instead, it recommended restoring from a known-good backup or performing a full rebuild, followed by a complete reset of all account passwords, service credentials, and public certificates. With proof-of-concept exploit code already publicly available for both CVEs, broader exploitation is expected as more threat actors adopt working exploits.
A familiar pattern: The targeting of EPMM follows a pattern that will be familiar to Ivanti customers. The product has been exploited at scale before, in 2023, state-sponsored attackers used EPMM zero-days to break into Norwegian government networks, and separate flaws were again exploited in the wild last year. Ivanti’s Connect Secure VPN product has had a similarly troubled record, with Chinese APT groups exploiting zero-days in back-to-back campaigns that eventually led the US government to order federal agencies to disconnect Ivanti VPN products entirely in February 2024.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4135776/attackers-exploit-ivanti-epmm-zero-days-to-seize-control-of-mdm-servers.html
