Ivanti EPMM Zero-Day Remote Code Execution Flaw Patched
Ivanti has released an emergency patch for a critical remote‑code‑execution (RCE) vulnerability in its Endpoint Manager Mobile (EPMM) product. Tracked as CVE‑2023‑XXXXX with a CVSS score of 9.8, the flaw resides in the API endpoint handling of the mobile‑device‑management (MDM) service. An unauthenticated attacker can send a specially crafted SOAP request to the /api/v1/mdm endpoint and achieve arbitrary code execution with SYSTEM‑level privileges. Ivanti confirmed that the vulnerability has been actively exploited in the wild as a zero‑day, with early signs pointing to limited, targeted attacks.
Customers running EPMM versions prior to 22.7.9 are affected and should apply the update immediately. The patched version, 22.7.9, removes the vulnerable code path and adds proper input validation and request‑origin checks. Ivanti advises administrators to audit access logs for unusual POST requests to the /api/v1/mdm path, enable the built‑in intrusion‑detection signatures, and restrict external access to the management interface via network segmentation or firewall rules.
This is the second zero‑day disclosed in Ivanti EPMM this year, following the earlier CVE‑2023‑YYYYY flaw that was also leveraged in targeted campaigns. The company’s security advisory (ADV‑2023‑001) provides a full list of affected builds, workarounds for environments that cannot patch right away, and indicators of compromise such as abnormal JSON payloads. Organizations are urged to treat this as a critical priority, as successful exploitation can lead to full device takeover, data exfiltration, and potential lateral movement within enterprise networks.
Security teams should also review third‑party integrations that rely on EPMM APIs, ensure that any automated scripts using the vulnerable endpoint are updated, and consider deploying additional endpoint‑detection‑and‑response (EDR) rules to catch malicious attempts to abuse the flaw. Ivanti says it will continue to monitor for any new attack patterns and will release further guidance if the threat landscape evolves.