< ciso
brief />
Tag Banner

All news with #ivanti tag

51 articles

Operation Escaneo exposes Latin American intrusions

๐Ÿ” New research from CloudSEK reveals Operation Escaneo, a coordinated campaign targeting government and financial entities across Latin America after attackers left a staging server exposed. The group exploited internet-facing appliances and known vulnerabilities in Fortinet and Ivanti devices, plus Apache Tomcat, Windows, and Log4Shell flaws. Attackers used custom reconnaissance (Kimera), webshells, reverse tunnels and a compromised Cisco router to exfiltrate large volumes of sensitive data.
read more โ†’

CISA orders three-day patch for Ivanti Sentry flaw

๐Ÿ”’ The U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to patch an actively exploited Ivanti Sentry flaw (CVE-2026-10520) within three days under Binding Operational Directive BOD 26-04. The vulnerability, an OS command injection in Ivanti's security gateway appliance, has been confirmed exploited and added to CISA's Known Exploited Vulnerabilities Catalog. Shadowserver reports multiple Sentry gateways have already been backdoored and warns unpatched systems are likely compromised.
read more โ†’

Maximum-severity Ivanti Sentry flaw now exploited

๐Ÿ”’ Attackers are exploiting a recently patched maximum-severity OS command injection in Ivanti Sentry (formerly MobileIron Sentry), tracked as CVE-2026-10520, to achieve root code execution on Internet-exposed gateways. Ivanti released patches in Sentry R10.5.2, R10.6.2, and R10.7.1, but Shadowserver reports many publicly reachable appliances have already been backdoored. Shadowserver warned that their scans undercount exposures due to blocklisting and urged immediate patching, while Ivanti has not revised its advisory and maintains no evidence of customer exploitation at disclosure.
read more โ†’

Ivanti patches critical Sentry gateway vulnerabilities

๐Ÿ”’ Ivanti patched two critical vulnerabilities in Ivanti Sentry, an in-line secure mobile gateway formerly called MobileIron Sentry, that could allow unauthenticated remote attackers to take full control of devices. One flaw, CVE-2026-10523, lets attackers bypass authentication to create administrative accounts and is rated 9.9/10. The second, CVE-2026-10520, is a command injection leading to root remote code execution and is rated 10/10. Customers should upgrade to versions 10.5.2, 10.6.2, or 10.7.1 immediately.
read more โ†’

Critical patches from Fortinet, Ivanti and SAP released

๐Ÿ›ก๏ธ Fortinet, Ivanti, and SAP issued security updates addressing multiple critical vulnerabilities that could enable arbitrary code execution and data disclosure. Fortinet fixed a command injection in FortiSandbox (CVE-2026-25089, CVSS 9.1). Ivanti patched two critical Ivanti Sentry flaws (CVE-2026-10520, CVSS 10.0; CVE-2026-10523, CVSS 9.9) that allow remote code execution and admin account creation. SAP released fixes for four critical issues across NetWeaver, ABAP Platform, Commerce Cloud, and Data Hub.
read more โ†’

Ivanti Sentry critical root code execution patched

๐Ÿ”’ Ivanti has released patches for two critical vulnerabilities in its Sentry secure mobile gateway, including a maximum-severity OS command injection (CVE-2026-10520) that allows remote code execution as root and a critical authentication bypass (CVE-2026-10523) permitting creation of rogue admin accounts. Patches are available in Sentry R10.5.2, R10.6.2, and R10.7.1, and the vendor reports no evidence of active exploitation at disclosure. Administrators are urged to apply updates promptly to prevent potential compromises.
read more โ†’

Critical Patches for Ivanti, Fortinet, SAP, VMware, n8n

๐Ÿ”’ Ivanti, Fortinet, SAP, VMware, n8n and dozens of other vendors have released security updates addressing multiple high- and critical-severity flaws that enable authentication bypass, information disclosure, local privilege escalation, and remote code execution. Highlights include a critical Ivanti Xtraction file-name control flaw (CVE-2026-8043), Fortinet authentication and sandbox execution bugs, SAP SQL injection and missing-auth issues, and a TOCTOU local privilege escalation in VMware Fusion. Administrators should prioritize applying the vendor-recommended patches immediately.
read more โ†’

Weekly Recap: Linux Rootkits, Supply Chain and Cloud Breaches

โšก This weekly recap highlights a string of active campaigns and exploited flaws affecting enterprise and cloud environments. Attackers weaponized vulnerabilities in Ivanti EPMM and Palo Alto PAN-OS, while a new modular Linux implant dubbed Quasar Linux (QLNX) pairs a kernel rootkit with a P2P mesh to resist takedowns. Several supply-chain compromises and credential-stealing campaigns are targeting cloud and developer tooling, and threat actors increasingly abuse legitimate RMM platforms for persistence.
read more โ†’

Ivanti EPMM: Five Vulnerabilities, One Actively Exploited

๐Ÿ” Ivanti disclosed five vulnerabilities in its onโ€‘premises Endpoint Manager Mobile (EPMM) suite, and oneโ€”CVE-2026-6973โ€”has been added to CISAโ€™s Known Exploited Vulnerabilities Catalog due to active exploitation. Updated EPMM releases resolving the issues are available and administrators are urged to apply patches and rotate administrative credentials immediately. The defects include improper input validation, access control failures, and certificate validation errors, and Ivanti says it is using AI tools to help identify additional vulnerabilities. Organizations should also review enrollment settings such as Apple Device Enrollment and assess whether legacy onโ€‘premises MDM fits a Zero Trust model.
read more โ†’

CISA Orders Federal Agencies to Patch Ivanti EPMM Zero-Day

โš  CISA has ordered U.S. federal agencies to patch a high-severity vulnerability in Ivanti Endpoint Manager Mobile within four days after the flaw was observed exploited as a zero-day (CVE-2026-6973). Ivanti published updates (12.6.1.1, 12.7.0.1, 12.8.0.1) and urged customers to review and rotate Admin credentials. The issue requires administrative authentication, affects only on-prem EPMM appliances, and Shadowserver reports over 800 exposed instances online.
read more โ†’

Ivanti EPMM RCE (CVE-2026-6973) Under Active Exploitation

๐Ÿ›ก๏ธ Ivanti warns of a high-severity flaw, CVE-2026-6973 (CVSS 7.2), in Endpoint Manager Mobile (EPMM) that has been observed in limited active exploitation and permits remote code execution for remotely authenticated users with administrative access. The issue affects on-premises EPMM versions before 12.6.1.1, 12.7.0.1, and 12.8.0.1 and was released alongside patches for four additional vulnerabilities. CISA added CVE-2026-6973 to its KEV catalog with a May 10, 2026 remediation deadline; Ivanti advises applying updates and rotating credentials as appropriate.
read more โ†’

Ivanti warns of EPMM zero-day RCE; patches released

๐Ÿ”’ Ivanti is urging customers to patch a high-severity remote code execution flaw (CVE-2026-6973) in Endpoint Manager Mobile (EPMM) after limited zero-day exploitation. The weakness stems from improper input validation and affects on-prem EPMM 12.8.0.0 and earlier; Ivanti released fixes in 12.6.1.1, 12.7.0.1, and 12.8.0.1 and recommends reviewing and rotating admin credentials. The vendor also patched four additional high-severity EPMM issues and noted that Shadowserver currently sees over 850 exposed EPMM hosts online.
read more โ†’

CISA Adds Ivanti EPMM Vulnerability to KEV Catalog

๐Ÿ”” CISA has added one vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2026-6973, an Ivanti Endpoint Manager Mobile (EPMM) improper input validation flaw. CISA cites evidence of active exploitation and emphasizes the significant risk this class of vulnerability poses to the federal enterprise. The agency reminds FCEB agencies of remediation requirements under BOD 22-01 and strongly urges all organizations to prioritize timely fixes.
read more โ†’

CISA Orders Federal Agencies to Patch Ivanti EPMM Flaw

โš ๏ธ CISA has ordered U.S. federal agencies to remediate a critical Ivanti Endpoint Manager Mobile flaw (CVE-2026-1340) that has been exploited since January. The agency added the bug to its Known Exploited Vulnerabilities catalog and invoked BOD 22-01, giving agencies until Saturday, April 11 to patch or mitigate affected systems. Ivanti released fixes on January 29 and urged all customers to update immediately.
read more โ†’

CISA Adds Ivanti EPMM Code Injection CVE to KEV Catalog

โš ๏ธ CISA has added CVE-2026-1340, a code injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM), to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The agency notes that code injection is a common, high-risk attack vector with significant implications for federal networks. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate identified KEV entries by the required deadlines, and CISA urges all organizations to prioritize timely fixes to reduce exposure.
read more โ†’

Fake Enterprise VPN Installers Steal Company Credentials

๐Ÿ”’ A threat actor tracked as Storm-2561 is distributing spoofed enterprise VPN clients impersonating vendors such as Ivanti, Cisco, and Fortinet to harvest corporate VPN credentials. The campaign uses SEO poisoning to push victims to convincing fake vendor pages that link to a GitHub-hosted ZIP containing a malicious MSI installer. When run, the installer places a fake Pulse.exe, drops a loader (dwmapi.dll) and a Hyrax infostealer variant (inspector.dll), captures credentials and configuration files, then displays an installation error and redirects victims to the legitimate vendor site to avoid immediate suspicion.
read more โ†’

CISA warns of active exploitation: Ivanti EPM, Cisco SDโ€‘WAN

โš ๏ธ CISA warns that an authentication-bypass bug in Ivanti Endpoint Manager (CVE-2026-1603), patched Feb. 9, is being actively exploited to leak stored credentials. The agency also added related SolarWinds and VMware defects to its Known Exploited Vulnerabilities catalog. CISA updated an emergency directive for Cisco SDโ€‘WAN flaws (CVE-2026-20127, CVE-2022-20775), citing signs of long-running exploitation and imposing new reporting and log-submission requirements for federal agencies, including a March 26 deadline.
read more โ†’

CISA: Actively exploited Ivanti EPM flaw patched quickly

๐Ÿ”ด CISA has added a recently patched Ivanti Endpoint Manager vulnerability (CVE-2026-1603) to its Known Exploited Vulnerabilities catalog and ordered federal agencies to remediate within three weeks. The flaw allows unauthenticated remote actors to bypass authentication and exfiltrate credentials via low-complexity cross-site scripting. Ivanti released EPM 2024 SU5 last month, which also addressed an SQL injection issue, and says it has no confirmed reports of exploitation while Shadowserver still tracks over 700 Internet-facing instances.
read more โ†’

CISA Flags SolarWinds, Ivanti, and Workspace One Flaws

โš ๏ธ CISA added three vulnerabilities to its Known Exploited Vulnerabilities catalog on Mar 10, 2026, citing evidence of active exploitation in SolarWinds Web Help Desk, Ivanti Endpoint Manager, and Omnissa Workspace One UEM. Federal civilian agencies were ordered to apply the SolarWinds fix by March 12 and remediate the other two flaws by March 23. The issues include a critical deserialization bug (CVE-2025-26399), an authentication bypass (CVE-2026-1603), and an SSRF (CVE-2021-22054) tied to ongoing threat activity.
read more โ†’

CISA Adds Three Vulnerabilities to KEV Catalog, March 2026

โš ๏ธ CISA has added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2021-22054 (Omnissa Workspace ONE SSRF), CVE-2025-26399 (SolarWinds Web Help Desk insecure deserialization), and CVE-2026-1603 (Ivanti Endpoint Manager authentication bypass). BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate listed KEV entries by the specified deadlines. CISA strongly urges all organizations to prioritize timely patching and mitigation to reduce exposure to active exploitation.
read more โ†’