The Crown Jewel Problem
Mobile Device Management platforms occupy a uniquely dangerous position in enterprise architecture. An MDM server must be reachable by every managed device — including phones and laptops working remotely, off corporate networks — which means the management interface is, by design, internet-accessible. And because that server authenticates to every device it manages, it holds credentials for them all.
Compromise an MDM server and you do not just get the server. You get:
- Push access to every enrolled mobile device — install applications, wipe data, distribute certificates, intercept configurations
- Stored credentials for domain administrator and service accounts used to authenticate to every managed endpoint
- A trusted management channel that security monitoring tools typically treat as benign
This is the crown jewel problem. Attackers recognised it clearly. Ivanti's product line — spanning four distinct platforms used by governments, hospitals, and enterprises worldwide — has become a persistent proving ground for this management-plane attack model. Since 2020, fifteen Ivanti CVEs across EPMM, EPM, EPM CSA, and Sentry have reached the CISA Known Exploited Vulnerabilities catalog, each confirming active exploitation in the wild.
The Ivanti MDM Family
Three related but distinct products appear across these fourteen CVEs.
Endpoint Manager Mobile (EPMM), formerly MobileIron, is the mobile device management platform. Organizations deploy it to enroll, configure, and monitor smartphones and tablets. The management interface is internet-facing by design — devices need to check in from anywhere. This exposure profile made it the first and most persistently targeted product.
Endpoint Manager (EPM) is the traditional desktop and server endpoint management platform. It deploys software, manages patches, and provisions machines at scale. It holds a credential vault containing the domain administrator and service account credentials it uses to authenticate to every managed Windows endpoint. That vault is a standing target.
Endpoint Manager Cloud Service Appliance (EPM CSA) is the reverse proxy gateway that lets off-network devices communicate with EPM without requiring direct VPN access. Compromise it and you intercept — or inject into — the management channel between EPM and its entire remote device fleet.
Sentry (formerly MobileIron Sentry) is the inline mobile security gateway that sits between EPMM-managed devices and corporate backend systems — Exchange, SharePoint, internal application servers. All managed device email and application traffic flows through it. Sentry is internet-facing by design and holds deep network adjacency to Exchange and Active Directory. It is the enforcement layer to EPMM's management plane: compromise Sentry and you intercept every managed device's email credentials and application tokens.
Four products, one vendor, one structural problem: everything that manages your devices is itself a target.
That logic is not Ivanti-specific. Parallel exploitation in other endpoint-management ecosystems shows the same risk follows the service model: internet-reachable management planes with privileged control channels over large endpoint fleets.
The Pattern, Year by Year
The full dataset in this cluster spans six years, with sustained exploitation concentration from 2023 through 2026. The pattern is not random. It escalates.
2020 — The First MDM Breach Wave
CVE-2020-15505 represents the first major confirmed exploitation of the MobileIron platform — then a distinct product, acquired and rebranded by Ivanti as EPMM in 2020. The vulnerability combines an Apache/Tomcat URI parsing differential with an unsafe Hessian Java deserialization endpoint. Apache httpd's rewrite rules block unauthenticated access to /mifs/services/ paths. But a request to /mifs/.;/services/LogService passes through Apache (no rule match) while Tomcat strips the semicolons and routes it to the protected LogService endpoint. The Hessian RPC endpoint deserializes the request body using a Groovy MethodClosure gadget chain — executing attacker-controlled commands as the Tomcat service user in a single HTTP POST.
Discovered and responsibly disclosed by Orange Tsai (DEVCORE), who found Facebook's production MobileIron server still unpatched 17 days after the June 2020 patch release and exploited it as a bug bounty. His full write-up in September 2020 triggered a rapid nation-state exploitation wave: the NSA's October 2020 advisory listed CVE-2020-15505 among 25 vulnerabilities actively exploited by Chinese state-sponsored actors targeting US Department of Defense networks. A joint CISA/FBI advisory (AA20-283A) documented APT actors chaining MobileIron access with Zerologon (CVE-2020-1472) against US federal and SLTT government networks — including election support systems. The UK NCSC issued a public alert the same month. Of approximately 5,000 internet-exposed MobileIron servers, roughly 2,000 remained unpatched as of late October 2020. A Metasploit module shipped in January 2021. CISA added the CVE to the inaugural KEV catalog on its launch day — November 3, 2021.
2021 — The Sleeping Backdoor
CVE-2021-44529 stands apart from every other entry in this cluster. It is not a conventional vulnerability. Researchers at GreyNoise Labs and Sonatype concluded in early 2024 that the vulnerable code in csrf-magic.php traces to a malicious GitHub commit from February 1, 2014 — labeled as version "1.0.5 update" — that embedded an eval() backdoor in an open-source CSRF protection library. Ivanti (then Wavelink/LANDesk) bundled this library into EPM CSA. The backdoor may have been present and exploitable for approximately seven years before discovery.
Exploitation requires four crafted HTTP cookies. The last three are concatenated, decoded from base64, and passed directly to PHP's eval(), executing arbitrary code as the web server process. A Metasploit module is publicly available. CISA added it to the KEV catalog in March 2024, with ransomware actor attribution.
The lesson from CVE-2021-44529 is not about Ivanti's development practices specifically — it is about supply chain risk. Any software product that bundles open-source dependencies absorbs the full attack surface of those dependencies, including commits made years before the product was built.
2023 — The Norway Breach and the Nation-State Playbook
The 2023 cluster marks the moment Ivanti EPMM became a confirmed nation-state target.
CVE-2023-35078 was exploited as a zero-day from approximately April 2023 — three months before Ivanti's July 24, 2023 disclosure. Rated CVSS 10.0, the vulnerability requires no credentials and no user interaction: a single HTTP request to a specific API endpoint exposes every user record, device certificate, and configuration stored on the server. The Norwegian security firm mnemonic discovered active exploitation while responding to a client incident. The breach extended to twelve Norwegian government ministries via a shared ICT platform, triggering joint advisory AA23-213A from CISA and the Norwegian National Cyber Security Centre.
The threat actor proxied exploit traffic through SOHO router infrastructure — a technique associated with sophisticated actors seeking to obscure origin and resist attribution.
CVE-2023-35081 followed on August 3, just ten days after the first advisory. Discovered by Ivanti's own team while investigating CVE-2023-35078, it is a path traversal vulnerability that allows a high-privilege EPMM account to write arbitrary files to the server. Combined with CVE-2023-35078 — which leaks administrator credentials without authentication — the chain enables unauthenticated webshell deployment. NCSC-NO confirmed this exact chain was used in the Norwegian government breach.
CVE-2023-35082 emerged August 7, disclosed by Rapid7 while their team investigated CVE-2023-35078 in a different context. It exposes the same API access bypass but affects MobileIron Core 11.2 and earlier — a product line that reached end-of-life in March 2022 — as well as current EPMM versions through 11.10. End-of-life installations received no patch; the only mitigation was RPM scripts or decommission. CISA added it to the KEV catalog in January 2024, five months after disclosure, indicating that exploitation of this vulnerability continued well into the second half of 2023.
CVE-2023-38035 rounded out the 2023 cluster by targeting Ivanti Sentry — the mobile security gateway that sits between EPMM and corporate backend systems. The vulnerability is an authentication bypass in Sentry's MICS admin portal (port 8443): Apache HTTPD's configuration failed to enforce authentication on the /mics/services/* Hessian RPC path, leaving the MICSLogService endpoint reachable without credentials. That endpoint accepts a SystemCommandRequestDTO object and passes its command string to Runtime.exec() as root — a single unauthenticated POST achieves root-level remote code execution. Discovered by mnemonic (the same Norwegian firm behind CVE-2023-35078), the vulnerability was added to KEV the day after disclosure. Horizon3.ai identified approximately 500 Sentry instances with port 8443 exposed to the internet; post-exploitation activity observed by Darktrace included Kinsing crypto-mining malware, LDAP enumeration, and SMB/RDP scanning — consistent with initial access brokering for ransomware operations, matching CISA's ransomware attribution.
The four 2023 CVEs collectively represented a complete kill chain: CVE-2023-35078 provided unauthenticated API access to EPMM and leaked credentials; CVE-2023-35081 enabled webshell deployment via path traversal; CVE-2023-35082 extended the exposure to end-of-life MobileIron Core versions with no patch path; and CVE-2023-38035 provided a parallel root-access path through the Sentry gateway even where port 8443 was not internet-exposed — reachable via the EPMM foothold.
2024 — EPM Becomes the Target
Attackers expanded from EPMM (mobile) to EPM (traditional endpoints) in 2024. The attack surface shifted from device management to credential concentration.
CVE-2024-29824 is a SQL injection in EPM's PatchBiz.dll. The RecordGoodApp method passes unsanitized caller input directly into SQL queries against the EPM database. An attacker exploits this using xp_cmdshell to escalate from SQL injection to operating system command execution as the EPM service account. Discovered through the Trend Micro Zero Day Initiative, Horizon3.ai published a working proof-of-concept on June 13, 2024. Ivanti confirmed limited exploitation in the wild when CISA added it to KEV in October 2024 — four months after the PoC became public.
CVE-2024-13159, CVE-2024-13160, and CVE-2024-13161 are three closely related NTLM hash coercion vulnerabilities discovered by Horizon3.ai in EPM's file hash calculation API (WSVulnerabilityCore.dll). The vulnerable endpoints accept UNC paths as input without validation. An unauthenticated attacker sends a crafted request containing a UNC path pointing to an attacker-controlled SMB server; EPM authenticates to that server to retrieve a "file hash," transmitting an NTLMv2 hash in the process. The hash can then be relayed using standard tools (ntlmrelayx) to create privileged Active Directory machine accounts, enabling lateral movement across the domain.
These three CVEs illustrate a specific architectural hazard: management platforms that call back to attacker-controlled network resources during normal operation. The EPM server initiates the outbound connection — it is the victim and the unwitting credential leaker simultaneously.
2025 — China-Nexus Actors and a Japanese APT
The 2025 cluster introduces the most sophisticated confirmed post-exploitation activity in this series.
CVE-2025-4427 and CVE-2025-4428 are a chained pair affecting Ivanti EPMM. CVE-2025-4427 is an authentication bypass rooted in a missing <intercept-url> rule in the Spring Security configuration, leaving the /rs/api/v2/featureusage API endpoint unauthenticated. CVE-2025-4428 is a Spring Expression Language (EL) injection: the format parameter of that endpoint passes attacker-controlled input to Spring's AbstractMessageSource, which evaluates it as a Java expression, executing arbitrary code. The chain: unauthenticated request → auth bypass → EL injection → arbitrary Java execution on the EPMM server.
EclecticIQ attributed confirmed exploitation to UNC5221 — a China-nexus threat actor previously linked to zero-day exploitation of Ivanti Connect Secure and Pulse Secure VPN appliances. Post-exploitation included KrustyLoader (a Rust-based dropper staged from AWS S3 to evade static network detection), the Sliver command-and-control framework, and the FRP reverse proxy for persistent tunnelling. UNC5221 accessed hard-coded MySQL credentials stored at /mi/files/system/.mifpp and exfiltrated EPMM device inventory data. Confirmed victims spanned healthcare, telecommunications, aviation, municipal government, and defence contractors across Europe, North America, and Asia-Pacific.
CVE-2025-61932 is the outlier in this cluster — not Ivanti, but LANSCOPE Endpoint Manager by MOTEX Inc., a Japanese vendor widely deployed in Japanese enterprise environments. The vulnerability allows a remote attacker to spoof the LANSCOPE management server and issue arbitrary commands to client agent processes via TCP port 443. Security researchers attributed exploitation to Bronze Butler (also known as Tick or REDBALDKNIGHT), a China-nexus APT active since at least 2010, with a documented pattern of targeting Japan-specific enterprise software. A previous Bronze Butler campaign in 2016 exploited a zero-day in SKYSEA Client View — another Japan-specific endpoint management product — demonstrating a sustained strategic focus on management software specific to Japanese organisations.
The post-exploitation payload was Gokcpdoor, a backdoor using the KCP protocol for C2 communications with built-in multiplexing to reduce detectability. Bronze Butler exploited CVE-2025-61932 as a zero-day from approximately April 2025 — six months before MOTEX's October 2025 advisory. CISA added it to the KEV catalog the same day as public disclosure, one of the fastest KEV additions relative to disclosure date on record.
2026 — Mass Exploitation and the Credential Vault
CVE-2026-1281 and CVE-2026-1340 returned to EPMM with a Bash code injection stemming from unsanitized URL parameters passed to shell scripts (/mi/bin/map-appstore-url and /mi/bin/map-aft-store-url). Bash arithmetic expansion evaluates the attacker-controlled path segments as code. No credentials, no prior access: a single HTTP GET request achieves unauthenticated remote code execution. Both were exploited as zero-days before Ivanti's January 29, 2026 disclosure. By March 2026, Telekom Security documented a sustained mass exploitation wave with webshell deployment (401.jsp, 403.jsp), reverse shells over TCP/443, database staging, and deliberate anti-forensic cleanup. Targeted sectors: US state and local government, healthcare, manufacturing, and high technology.
CVE-2026-1603 is an authentication bypass in EPM's credential vault API. Including the integer value 64 in a specific HTTP request header causes EPM's authentication logic — which evaluates the header through a malformed concatenation path — to grant access through an alternate, unprotected code path. The attacker retrieves encrypted credential blobs for domain administrator and service accounts without ever authenticating. The CVSS Scope is rated Changed because the stolen credentials enable attack paths across every system EPM manages — potentially the entire Active Directory domain. CISA added it to the KEV catalog in March 2026, approximately one month after patching, consistent with either pre-patch zero-day exploitation or rapid weaponisation of the patch diff.
Outside Ivanti, Fortinet FortiClient EMS contributed two CVEs to the 2026 cluster. CVE-2026-21643 is a pre-authentication SQL injection introduced in the 7.4.4 multi-tenant middleware refactor: the SiteMiddleware reads the HTTP Site header to identify a tenant context and embeds it directly into a SET search_path SQL statement without escaping — and it executes before the authentication middleware, so the injection requires no credentials. Active exploitation began approximately four days after a public PoC appeared in March 2026; CISA added it to KEV on April 13, 2026 with a three-day remediation deadline. CVE-2026-35616 then affected the subsequent fix: organizations that patched 7.4.4 to 7.4.5 to remediate CVE-2026-21643 landed on a version vulnerable to this separate improper access control flaw — exploited as a zero-day against 7.4.5 and 7.4.6. The safe target is 7.4.7. Together they show the same architecture-level pattern: a centrally privileged endpoint management server with internet-reachable API exposure, exploited pre-auth in the wild. In parallel with CVE-2025-61932 in LANSCOPE Endpoint Manager, this reinforces that attackers are selecting the management plane function itself, not only one vendor's implementation.
Quest KACE Systems Management Appliance provides a further confirmation. CVE-2025-32975 is a CVSS 10.0 authentication bypass in KACE SMA's SSO mechanism: an unauthenticated remote attacker can impersonate any user — including administrators — by exploiting flawed validation in the SSO authentication handler, with no credentials required. KACE SMA is an on-premises endpoint management appliance performing the same function as Ivanti EPM: centralized inventory, patch deployment, software distribution, and remote script execution across the entire managed device fleet. Its credential concentration and privileged management channel make it structurally identical to the target profile this cluster describes. Arctic Wolf observed active exploitation beginning the week of March 9, 2026, against internet-exposed, unpatched instances. The post-exploitation chain is a direct replay of the management-plane playbook: authentication bypass → administrative takeover of the appliance → lateral movement to backup infrastructure and domain controllers via the appliance's trusted management access. Observed tools included Base64-encoded payload staging via curl, runkbot.exe for persistent admin account creation, PowerShell registry modification, Mimikatz for credential harvesting, and Active Directory enumeration. Quest had patched CVE-2025-32975 in May 2025 — nearly ten months elapsed between patch availability and confirmed exploitation, during which unpatched internet-exposed instances accumulated. The pattern: management appliance vulnerability disclosed, a long tail of unpatched instances remains reachable, and eventual exploitation arrives in force.
Why Attackers Keep Returning
Six years and fifteen Ivanti CVEs, plus corroborating exploitation in other endpoint management platforms, produce a clear pattern. Several structural factors explain why MDM/UEM and endpoint-management control planes have been — and will continue to be — high-priority targets.
Internet exposure is the product. EPMM must be reachable by enrolled devices from anywhere in the world. EPM CSA exists specifically to extend that reach. There is no architectural choice that makes the management interface unreachable while keeping the product functional. Accessibility to enrolled devices and accessibility to attackers are the same property.
Credential concentration. EPM's credential vault holds the keys to every managed endpoint. Compromising one server yields administrator access to thousands of workstations. The return on investment for a single successful exploit is enormous — and that calculation does not change between product versions.
Large, slow-to-patch installed base. EPMM and EPM are deeply embedded in enterprise and government operations. Patches require maintenance windows, device re-enrollment coordination, and change control approvals. The gap between patch availability and deployment is measured in weeks or months. Attackers have repeatedly weaponised Ivanti CVEs within days of disclosure and sometimes before it.
Management channels are lateral movement channels. The authenticated paths EPM uses to push software and policy are paths an attacker can use to move laterally. Management traffic is treated as trusted by endpoint detection tools — it is by definition the traffic that security products are configured not to block.
Single PoC, multi-target value. Once a working exploit exists for an EPM or EPMM vulnerability, every unpatched instance globally is reachable with the same tool. A single Metasploit module translates one researcher's discovery into a campaign against thousands of organisations.
Who Is Attacking
The confirmed and attributed threat actors span the full spectrum of the threat landscape:
| Threat Actor | CVEs | Attribution |
|---|---|---|
| UNC5221 (China-nexus) | CVE-2025-4427/4428 | EclecticIQ; previously linked to Ivanti Connect Secure zero-days |
| Bronze Butler / Tick / REDBALDKNIGHT (China-nexus) | CVE-2025-61932 | JPCERT/CC; Japan-focused APT, prior SKYSEA Client View zero-day |
| Chinese state-sponsored actors (unattributed group) | CVE-2020-15505 | NSA advisory (Oct 2020); targeting US DoD, national security systems |
| Unknown APT | CVE-2023-35078/35081 | mnemonic, NCSC-NO; Norway government breach, SOHO router proxying |
| Ransomware actors | CVE-2021-44529, CVE-2023-38035 | CISA KEV ransomware attribution |
| Mass exploitation campaigns | CVE-2026-1281/1340, CVE-2026-21643 | Telekom Security, Defused Cyber; opportunistic actors following public PoC |
Post-exploitation tooling observed across this cluster: KrustyLoader, Sliver C2, FRP reverse proxy, Gokcpdoor, 401.jsp/403.jsp webshells, and curl/wget-staged secondary payloads.
What Defenders Must Do
The pattern is consistent enough to drive specific architectural recommendations that apply regardless of which specific CVE is active:
-
Do not expose MDM management interfaces to the internet. Route device check-ins through a dedicated DMZ, cloud relay, or managed reverse proxy. Restrict the management console to VPN-only access from administrator workstations with allowlisted IPs.
-
Treat Ivanti patch releases as a countdown timer. The time from patch publication to working PoC for Ivanti products is measured in days, not weeks. Implement an expedited patch track — separate from standard change control cadence — for Ivanti EPM and EPMM specifically.
-
Rotate credentials after any Ivanti advisory. If a patch addresses a credential exposure flaw, assume the vault was accessed during the exposure window. Rotate all credentials stored in EPM, invalidate Kerberos tickets, and audit Active Directory for unauthorised account creation or privilege escalation.
-
Monitor for lateral movement originating from MDM servers. Alert on unexpected outbound connections from EPM or EPMM servers, unexpected process spawning (especially
cmd.exe,powershell.exe,curl,wgetfrom the service account context), and authentication events using managed service accounts from hosts other than the EPM server. -
Audit enrolled device integrity post-compromise. Any profile, certificate, or application pushed to enrolled devices during an exploitation window should be treated as potentially attacker-controlled. Review configuration profiles and revoke suspicious certificates.
-
Consider cloud-native MDM alternatives. SaaS MDM platforms (Microsoft Intune, Jamf Cloud, VMware Workspace ONE cloud) do not require an internet-exposed on-premises server. This does not eliminate MDM risk — but it eliminates the entire class of on-premises server exploitation documented in this cluster.
The Ivanti MDM pattern will not stop with the CVEs documented here. The architecture that makes these products useful is the same architecture that makes them targets. New CVEs will emerge. The only durable mitigations are network isolation, rapid patching, and credential hygiene applied consistently — not reactively.