{"id":16197,"date":"2026-05-08T21:02:14","date_gmt":"2026-05-08T21:02:14","guid":{"rendered":"https:\/\/newestek.com\/?p=16197"},"modified":"2026-05-08T21:02:14","modified_gmt":"2026-05-08T21:02:14","slug":"five-new-holes-one-exploited-found-in-ivanti-endpoint-manager-mobile","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16197","title":{"rendered":"Five new holes, one exploited, found in Ivanti Endpoint Manager Mobile"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

The five new vulnerabilities discovered in Ivanti\u2019s on-premises mobile endpoint management solution are a \u201cclassic example of the legacy trap\u201d that CSOs must avoid, says an expert.<\/p>\n

\u201cPatch today to survive the weekend,\u201d said Robert Enderle<\/a> of the Enderle Group, \u201cbut start planning your exit from legacy MDM as soon as possible.\u201d<\/p>\n

He was commenting on an advisory issued Thursday<\/a> by Ivanti about the discovery of five holes in its Endpoint Manager Mobile (EPMM) suite. Updates for all are available.<\/p>\n

The flaws are serious enough that the US Cybersecurity and Infrastructure Security Agency (CISA) added one of the vulnerabilities<\/a> to its Known Exploited Vulnerabilities Catalog because it\u2019s being actively exploited.<\/p>\n

\u201cThis isn\u2019t an isolated incident,\u201d Enderle added. \u201cIt\u2019s a continuation<\/a> of the cycle we saw in January<\/a>, suggesting an underlying architecture struggling to withstand modern threats.\u201d<\/p>\n

A \u201cvery limited number of customers\u201d have been exploited through one of the vulnerabilities revealed this week, CVE-2026-6973. An improper input validation in EPMM\u00a0before\u00a0versions 12.6.1.1, 12.7.0.1, and 12.8.0.1\u00a0allows\u00a0a remotely authenticated user with\u00a0administrative access to perform remote code execution.<\/p>\n

Johannes Ullrich<\/a>, dean of research at the SANS Institute, told us that Ivanti is right to point out that exploitation of this hole does require administrative access, and that attackers may have obtained the necessary credentials through exploits of prior vulnerabilities. Rotating credentials is critical after patching an already exploited vulnerability, he said. \u201cEven if no obvious signs of compromise are noted, it is hard to impossible to exclude a compromise. Best to rotate credentials even if no indicator of compromise was found.\u201d<\/p>\n

Ullrich also pointed out that in a blog post accompanying the advisory<\/a>, Ivanti stated that it is using AI tools to proactively identify new vulnerabilities. \u201cThis may result in more vulnerability reports in the future,\u201d he said. \u201cI applaud Ivanti\u2019s openness and willingness to publicly enumerate the vulnerabilities as they are being fixed. It is important for organizations using the Ivanti product (or any product) to understand the risks of not patching or of delaying the patch.\u201d<\/p>\n

The four other flaws are:<\/p>\n