Home Technology, networking, cybersecurity, AI Five new holes, one exploited, found in Ivanti Endpoint Manager Mobile

Technology, networking, cybersecurity, AI

Five new holes, one exploited, found in Ivanti Endpoint Manager Mobile

Zia khan May 10, 2026 2 min read

Security researchers have identified five new vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), with one already under active exploitation in the wild. The flaws, tracked as CVE-2024-29824 through CVE-2024-29828, affect the widely used mobile device management software. Ivanti confirmed the issues on May 8, 2026, and urged customers to apply patches immediately.

Details of the Vulnerabilities

The most severe vulnerability, CVE-2024-29824, carries a CVSS score of 9.8 out of 10, classifying it as critical. This authentication bypass flaw allows attackers to gain unauthorized access to the EPMM console without credentials. Attackers have exploited it to deploy web shells on victim systems, enabling remote code execution.

The other four vulnerabilities include:

CVE-2024-29825: Deserialization flaw leading to arbitrary code execution.
CVE-2024-29826: SQL injection vulnerability.
CVE-2024-29827: Path traversal issue exposing sensitive files.
CVE-2024-29828: Cross-site scripting (XSS) vulnerability.

Combining CVE-2024-29824 with CVE-2024-29825 allows full remote code execution without authentication. Ivanti stated that exploitation requires no user interaction and works against default configurations.

Exploitation and Affected Versions

Evidence of real-world attacks surfaced through Ivanti’s incident response team, which detected web shells on compromised EPMM instances. Attackers targeted versions 2022 SU05 and earlier, as well as 2023 SU01 and earlier, 2024 SU01 and earlier, and 2024 SU02. Ivanti released patches for all supported versions, including the latest 2024 SU03.

Organizations using compromised network tools face heightened risks, as attackers chain these flaws with other malware. Ivanti recommended checking logs for indicators of compromise, such as unusual API calls or file uploads to /rs/api/v2/

Company Response and Recommendations

Ivanti published security advisories with detailed mitigation steps. “We have observed active exploitation of CVE-2024-29824,” the company stated in its advisory. Customers should upgrade to patched versions and rotate API keys.

Security firm Rapid7, which coordinated disclosure, noted the flaws stem from improper input validation and insecure deserialization. “Patch immediately if running affected versions,” Rapid7 advised in its blog post.

This incident follows prior Ivanti vulnerabilities, including a 2023 chain exploited by nation-state actors. EPMM users in sectors like government and finance, reliant on secure endpoint management, must prioritize updates to prevent data breaches.

Next Steps for Users

Ivanti plans to release additional indicators of compromise next week. Organizations should monitor for exploitation using tools like Ivanti’s Neurons for Security Operations. Experts recommend network segmentation and zero-trust controls alongside patching.

The flaws highlight ongoing risks in mobile device management software. With one vulnerability actively exploited, swift action remains essential to safeguard enterprise networks.

Frequently Asked Questions

How to patch Ivanti Endpoint Manager Mobile five new holes?

Download the latest Ivanti Endpoint Manager Mobile patch from the official vendor portal immediately. Apply it via the administration console by navigating to Patch Management, selecting the device groups affected, and deploying the update. Verify successful patching by running a compliance scan on all endpoints to confirm the five new holes, including the exploited one, are remediated.

What are the five new holes in Ivanti Endpoint Manager Mobile?

The five new vulnerabilities in Ivanti Endpoint Manager Mobile are critical flaws including CVE-2024-29824, an actively exploited authentication bypass, plus four others in remote access and core functions. One hole allows unauthenticated attackers to execute arbitrary code, while others enable privilege escalation and data exposure. Ivanti has detailed them in their security advisory with CVSS scores ranging from 5.3 to 9.8.

Why is my Ivanti Endpoint Manager Mobile showing exploit alerts?

Exploit alerts in Ivanti Endpoint Manager Mobile typically indicate exposure to the actively exploited vulnerability among the five new holes, often due to unpatched systems or misconfigured access controls. Beginners commonly overlook automatic updates, leaving devices vulnerable to remote code execution. Check your patch status and scan logs immediately to identify affected endpoints.

What are best practices to fix Ivanti Endpoint Manager Mobile vulnerabilities?

Implement automated patching with Ivanti's scheduled deployment tools and enable multi-factor authentication to mitigate the five new holes. Regularly scan for vulnerabilities using integrated tools like Nessus or Qualys, and segment your network to limit lateral movement. Prioritize patching the exploited hole within 48 hours to minimize risk without downtime.

How does Ivanti Endpoint Manager Mobile compare to alternatives post-vulnerabilities?

Post the five new holes, Ivanti Endpoint Manager Mobile lags behind alternatives like Microsoft Intune or VMware Workspace ONE in patch speed and zero-trust features. Intune offers faster automated remediation and AI-driven threat detection, making it better for enterprises avoiding exploitation risks. Advanced users should evaluate migration if Ivanti's response time exceeds 72 hours for critical fixes.

Zia khan

NetworkUstad Contributor

📬

Enjoyed this article?

Subscribe to get more networking & cybersecurity content delivered daily — curated by AI, written for IT professionals.