Pakistan’s National Computer Emergency Response Team (National CERT) has issued a high-severity alert warning of active cyberattacks exploiting critical zero-day vulnerabilities in on-premises deployments of Ivanti Endpoint Manager Mobile (EPMM), urging organizations to patch systems immediately.
In an advisory, National CERT said the flaws allow remote, unauthenticated execution of malicious code, potentially giving attackers full control over affected systems. Ivanti has confirmed the vulnerabilities, with at least one now listed in the US Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalogue, signalling confirmed real-world exploitation.
The vulnerabilities carry a critical CVSS score of 9.8, posing severe risks to confidentiality, integrity and system availability, the advisory said. Successful exploitation could expose sensitive mobile device data, disrupt enterprise mobile management operations and enable attackers to move laterally into wider government or corporate networks.
According to National CERT, affected products include Ivanti Endpoint Manager Mobile on-premises appliances across versions 12.5.0.0 to 12.7.0.0 and earlier releases. Other Ivanti products — including Ivanti Neurons for MDM, Ivanti Endpoint Manager and Ivanti Sentry — are not impacted.
The flaws stem from improper input handling that allows code injection, with exploits described as “weaponised” and capable of installing persistent backdoors on compromised systems. Indicators of compromise include suspicious web requests, unexpected command execution, unauthorised administrator accounts, altered security policies and the presence of unknown scripts or binaries.
Internet-facing Ivanti EPMM systems are at the highest risk, particularly those used by government departments, critical infrastructure operators and organisations handling sensitive or regulated mobile data, the advisory said.
National CERT has directed all affected entities to immediately apply Ivanti’s emergency RPM patches across all deployments, including high-availability environments, stressing that patching is mandatory and the only complete remediation.
While temporary steps such as network isolation, firewall restrictions and enhanced monitoring may reduce exposure, the advisory warned organisations to assume compromise if systems were exposed and left unpatched. Affected entities have also been advised to conduct forensic audits, restrict unnecessary external access and activate incident response plans to mitigate long-term operational, regulatory and security risks.
