Introduction
Ivanti Endpoint Manager Mobile (EPMM) has once again surfaced in vulnerability disclosures, this time with an authenticated OS command injection flaw that grants root level command execution on the MDM server. For organizations that rely on EPMM to manage their mobile device fleets, this vulnerability (CVE-2026-10727, CVSS 7.2) represents a path from stolen or phished credentials to complete server compromise, with downstream access to every enrolled endpoint.
What makes this disclosure particularly notable is its context. CVE-2026-10727 was published on June 9, 2026 alongside CVE-2026-6973, a companion vulnerability that CISA has already confirmed is actively exploited in the wild and added to its Known Exploited Vulnerabilities catalog. This is the fifth major vulnerability affecting Ivanti EPMM in roughly 18 months, a cadence that has drawn scrutiny from CISA, the FBI, Unit 42, and credit rating agencies alike.
Technical Information
Root Cause: CWE-78 OS Command Injection
CVE-2026-10727 falls under CWE-78: Improper Neutralization of Special Elements used in an OS Command. The core issue is that the EPMM server constructs operating system commands using input that an authenticated user can influence, without properly sanitizing or neutralizing shell metacharacters. Characters such as semicolons (;), pipes (|), backticks (`), and command substitution operators ($()) can break out of the intended command context and cause the underlying operating system to execute attacker controlled instructions.
The CWE-78 specification identifies two primary subtypes of this weakness: one where the attacker injects additional arguments into an otherwise trusted command, and another where the attacker fully controls which program is executed. Both subtypes are relevant here, as the NVD description confirms that a remote authenticated attacker can "execute arbitrary commands as root."
The root execution context is critical. Because the EPMM server process runs with root privileges, any injected command inherits those privileges. This means a successful exploit grants unrestricted access to the server filesystem, the EPMM database (which contains enrollment data for all managed devices), and the ability to pivot laterally to managed endpoints.
Attack Flow
Based on the vulnerability characteristics and documented attack patterns for CWE-78 (CAPEC-88 and CAPEC-15), the exploitation flow would proceed as follows:
-
Credential Acquisition: The attacker obtains valid EPMM credentials. This could occur through phishing, credential stuffing against the internet facing management console, or by chaining with another vulnerability that provides authentication bypass or credential disclosure.
-
Authenticated Access: The attacker authenticates to the EPMM platform using the obtained credentials.
-
Command Injection: The attacker submits crafted input containing shell metacharacters to the vulnerable endpoint or parameter. The EPMM server incorporates this input into an OS command without proper sanitization.
-
Root Execution: The operating system interprets the injected metacharacters, executing the attacker's payload with root privileges.
-
Post Exploitation: With root access, the attacker can deploy persistent backdoors (such as JSP web shells), harvest enrollment data and credentials for managed devices, install cryptominers or other malware, or pivot to managed endpoints.
Chaining Risk: Lessons from Prior Ivanti Campaigns
The authenticated nature of CVE-2026-10727 does not eliminate the threat; it shifts the attack model toward vulnerability chaining. This pattern has been directly observed in prior Ivanti campaigns.
In the Ivanti Cloud Service Appliance (CSA) campaign documented in CISA advisory AA25-022A, threat actors first exploited CVE-2024-8963 (a path traversal and administrative bypass) to obtain session tokens, then chained CVE-2024-8190 (also CWE-78, OS command injection) to execute arbitrary code. From there, they harvested encrypted admin credentials from the PostgreSQL database, escalated privileges, deployed web shells for persistence at paths like /opt/ivanti/csa/broker/webroot/client/help.php, used sudo commands for defense evasion, timestomped modified files, and deleted system logs.
The parallel to CVE-2026-10727 is direct. An authentication bypass or credential theft vulnerability could serve as the initial access vector, with CVE-2026-10727 providing the root level payload execution stage. Given that attackers have previously chained stolen admin credentials from older EPMM CVEs like CVE-2026-1340, this chaining scenario is not theoretical.
Comparison With Related Ivanti EPMM Vulnerabilities
| CVE | Type | CVSS | Authentication Required | Actively Exploited | Date Disclosed |
|---|---|---|---|---|---|
| CVE-2026-10727 | OS Command Injection (CWE-78) | 7.2 | Yes (authenticated) | Not confirmed | June 2026 |
| CVE-2026-6973 | Improper Input Validation | 7.5 | Yes (admin) | Yes (CISA KEV) | May 2026 |
| CVE-2026-1281 | Code Injection | 9.8 | No (unauthenticated) | Yes (widespread) | January 2026 |
| CVE-2026-1340 | Code Injection | 9.8 | No (unauthenticated) | Yes (widespread) | January 2026 |
| CVE-2025-4428 | Improper Access Control | Critical | No (unauthenticated) | Yes (China nexus actor) | May 2025 |
The trend is clear: earlier EPMM vulnerabilities were unauthenticated and carried higher CVSS scores, while the more recent disclosures require authentication. However, the authentication gate is weaker than it appears when considered alongside the documented chaining patterns and the availability of credentials from prior compromises.
What Remains Unknown
The specific code path, endpoint, or parameter in Ivanti EPMM that is vulnerable to the OS command injection has not been publicly documented as of the NVD publication date. Ivanti has not published code level diffs for the proprietary EPMM appliance software. Organizations should consult the official Ivanti advisory directly for the most authoritative technical details.
Patch Information
Ivanti published a dedicated security advisory on June 9, 2026, addressing CVE-2026-10727 alongside CVE-2026-6973 in a single coordinated disclosure. The fix is delivered as a vendor firmware update; there is no standalone hotfix or individual code patch. Customers must upgrade their on premises Ivanti EPMM appliances to one of the three resolved versions.
Fixed Versions
| Release Branch | Fixed Version | Build Identifier |
|---|---|---|
| 12.9.x | 12.9.0.1 | mobileiron-12.9.0.1-3 |
| 12.8.x | 12.8.0.3 | mobileiron-12.8.0.3-252 |
| 12.7.x | 12.7.0.2 | mobileiron-12.7.0.2-6 |
The affected versions are EPMM 12.9.0, 12.8.0.2, 12.7.0.1, and all prior releases.
Deployment Paths
Ivanti provides two deployment paths for each fixed version: a full ISO image for fresh EPMM installations and an upgrade package for existing appliance deployments. These are hosted on the support.mobileiron.com download portal (login required). For example, the 12.9.0.1 upgrade package is available at https://support.mobileiron.com/mi/vsp/12.9.0.1-3/mobileiron-12.9.0.1-3/, with the full ISO at the corresponding .iso path.
Important: This Advisory Is Distinct From the May 2026 Advisory
The June 2026 advisory is distinct from Ivanti's earlier May 7, 2026 EPMM advisory, which addressed five other high severity CVEs (including CVE-2026-6973 in its initial patch round alongside CVE-2026-5786, CVE-2026-5787, CVE-2026-5788, and CVE-2026-7821) with a different set of fixed versions (12.6.1.1, 12.7.0.1, 12.8.0.1). The June advisory introduces newer point releases (12.7.0.2, 12.8.0.3, 12.9.0.1) that bundle the CVE-2026-10727 fix on top of the May fixes. Customers who already applied the May patches still need to apply this subsequent update to be fully protected against CVE-2026-10727.
Scope
The fix only applies to on premises EPMM. Ivanti Neurons for MDM (the cloud offering), Ivanti EPM, Ivanti Sentry, and all other Ivanti products are unaffected.
Nature of the Fix
The patch remediates the injection point by ensuring that user controllable input can no longer break out of its intended context and reach the OS shell, eliminating the command injection vector entirely.
Affected Systems and Versions
The following Ivanti EPMM versions are vulnerable:
- 12.9.x branch: All versions before 12.9.0.1 (specifically 12.9.0 and earlier)
- 12.8.x branch: All versions before 12.8.0.3 (specifically 12.8.0.2 and earlier)
- 12.7.x branch: All versions before 12.7.0.2 (specifically 12.7.0.1 and earlier)
- All prior release branches: Any EPMM version older than the 12.7.x branch
Only on premises Ivanti EPMM deployments are affected. Ivanti Neurons for MDM (cloud), Ivanti EPM, Ivanti Sentry, and other Ivanti products are not affected by this CVE.
At the time of the companion CVE-2026-6973 disclosure, more than 850 Ivanti EPMM instances were reported as exposed on the internet, representing a substantial attack surface.
Vendor Security History
Ivanti's EPMM product line has experienced a troubling pattern of critical vulnerabilities over the past 18 months:
| Timeline | CVEs | Severity | Exploitation Status |
|---|---|---|---|
| May 2025 | CVE-2025-4427, CVE-2025-4428 | Critical | Actively exploited by China nexus threat actor |
| January 2026 | CVE-2026-1281, CVE-2026-1340 | 9.8 (Critical) | Widespread automated exploitation (Unit 42) |
| May 2026 | CVE-2026-6973 | 7.5 (High) | Actively exploited (CISA KEV) |
| June 2026 | CVE-2026-10727 | 7.2 (High) | Not confirmed |
Beyond EPMM, Ivanti's Cloud Service Appliance (CSA) was the subject of CISA/FBI joint advisory AA25-022A in January 2025, documenting how threat actors chained four CSA vulnerabilities (CVE-2024-8963, CVE-2024-8190, CVE-2024-9380, CVE-2024-9379) for credential theft, web shell deployment, and lateral movement.
The January 2026 EPMM zero day crisis is particularly instructive. Unit 42 observed widespread, automated exploitation of CVE-2026-1281 and CVE-2026-1340, two unauthenticated code injection vulnerabilities (CVSS 9.8 each) in legacy bash scripts tied to the In House Application Distribution feature. Attackers sent crafted HTTP requests to /mifs/c/appstore/fob/... and /mifs/c/aftstore/fob/ endpoints, manipulating parameters to inject bash arithmetic expansion commands. Post exploitation activities included deploying lightweight JSP web shells (named 401.jsp, 403.jsp, 1.jsp) in the Tomcat webapps directory, downloading second stage payloads for cryptominers and persistent backdoors, deploying a Nezha monitoring agent for botnet infrastructure, and conducting reconnaissance using sleep commands to confirm remote code execution. The campaign impacted state and local government, healthcare, manufacturing, and high technology sectors across the United States, Germany, Australia, and Canada.
Fitch Ratings downgraded Ivanti's credit rating, noting "elevated customer churn" and projecting a potential 15% revenue decline in a distressed scenario, with Ivanti reporting a cash balance of only $7 million. Security teams should factor this financial context into their risk assessments when evaluating long term reliance on Ivanti products.
References
- CVE-2026-10727 Detail, NVD
- Security Advisory: Ivanti EPMM CVE-2026-6973 and CVE-2026-10727
- Ivanti Blog: May 2026 EPMM Security Update
- CVE-2026-6973: Ivanti EPMM RCE Vulnerability Actively Exploited
- CVE-2026-6973 Detail, NVD
- CWE-78: Improper Neutralization of Special Elements used in an OS Command
- CISA Advisory AA25-022A: Threat Actors Chained Vulnerabilities in Ivanti CSA
- Unit 42: Critical Vulnerabilities in Ivanti EPMM Exploited
- EclecticIQ: China Nexus Threat Actor Actively Exploiting Ivanti EPMM
- CISA Adds One Known Exploited Vulnerability to Catalog (CVE-2026-6973)
- Security Advisory: Ivanti EPMM CVE-2026-1281 and CVE-2026-1340
- Fitch Downgrades Ivanti to 'RD'
- CSA Singapore: Critical Vulnerabilities in Ivanti EPMM



