Security researchers have identified five new vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), with one already under active exploitation in the wild. The flaws, tracked as CVE-2024-29824 through CVE-2024-29828, affect the widely used mobile device management software. Ivanti confirmed the issues on May 8, 2026, and urged customers to apply patches immediately.
Details of the Vulnerabilities
The most severe vulnerability, CVE-2024-29824, carries a CVSS score of 9.8 out of 10, classifying it as critical. This authentication bypass flaw allows attackers to gain unauthorized access to the EPMM console without credentials. Attackers have exploited it to deploy web shells on victim systems, enabling remote code execution.
The other four vulnerabilities include:
- CVE-2024-29825: Deserialization flaw leading to arbitrary code execution.
- CVE-2024-29826: SQL injection vulnerability.
- CVE-2024-29827: Path traversal issue exposing sensitive files.
- CVE-2024-29828: Cross-site scripting (XSS) vulnerability.
Combining CVE-2024-29824 with CVE-2024-29825 allows full remote code execution without authentication. Ivanti stated that exploitation requires no user interaction and works against default configurations.
Exploitation and Affected Versions
Evidence of real-world attacks surfaced through Ivanti’s incident response team, which detected web shells on compromised EPMM instances. Attackers targeted versions 2022 SU05 and earlier, as well as 2023 SU01 and earlier, 2024 SU01 and earlier, and 2024 SU02. Ivanti released patches for all supported versions, including the latest 2024 SU03.
Organizations using compromised network tools face heightened risks, as attackers chain these flaws with other malware. Ivanti recommended checking logs for indicators of compromise, such as unusual API calls or file uploads to /rs/api/v2/
Company Response and Recommendations
Ivanti published security advisories with detailed mitigation steps. “We have observed active exploitation of CVE-2024-29824,” the company stated in its advisory. Customers should upgrade to patched versions and rotate API keys.
Security firm Rapid7, which coordinated disclosure, noted the flaws stem from improper input validation and insecure deserialization. “Patch immediately if running affected versions,” Rapid7 advised in its blog post.
This incident follows prior Ivanti vulnerabilities, including a 2023 chain exploited by nation-state actors. EPMM users in sectors like government and finance, reliant on secure endpoint management, must prioritize updates to prevent data breaches.
Next Steps for Users
Ivanti plans to release additional indicators of compromise next week. Organizations should monitor for exploitation using tools like Ivanti’s Neurons for Security Operations. Experts recommend network segmentation and zero-trust controls alongside patching.
The flaws highlight ongoing risks in mobile device management software. With one vulnerability actively exploited, swift action remains essential to safeguard enterprise networks.
