Ivanti EPMM Is Being Actively Exploited Right Now. Is Your MDM a Back Door?
Two vulnerabilities are dominating the threat picture today. One is actively being exploited in the wild. The other scored a perfect 10.0 and was published yesterday. Neither is theoretical.
Let’s start with what is actually happening.
Ivanti EPMM: A Zero-Day Being Used Right Now
Ivanti has issued an urgent advisory for its Endpoint Manager Mobile product, known as EPMM and formerly as MobileIron Core. The vulnerability at the centre of this is CVE-2026-6973, a high-severity remote code execution flaw with a CVSS score of 7.2.
That score understates the operational risk. Exploitation has been confirmed in the wild, and the attacks began before patches were available. That is the definition of a zero-day: you had no warning, and the window between disclosure and exploitation was effectively zero.
EPMM is mobile device management software. Organisations use it to remotely control the phones and tablets their staff use for work: pushing applications, enforcing policies, wiping devices. Compromise it and an attacker does not just access a server. They access the management plane for every mobile device connected to it.
CISA has added this to its Known Exploited Vulnerabilities catalogue and mandated remediation. The Dutch government’s experience earlier this year is instructive: a previous Ivanti EPMM vulnerability was used to breach multiple government bodies, including the country’s data protection authority and its judicial council. The same product, a different flaw, the same catastrophic outcome.
Ivanti’s advisory covers multiple vulnerabilities in the same product batch, including CVE-2026-5787 (CVSS 8.9, improper certificate validation allowing impersonation of registered Sentry hosts) and CVE-2026-5788 (CVSS 7.0, improper access control allowing invocation of arbitrary methods). These are being chained. Attackers are using harvested admin credentials to move between vulnerabilities and escalate access.
If your business runs Ivanti EPMM on-premises, the patch is available. The question is whether you have applied it.
Azure DevOps: A CVSS 10.0 Published Yesterday
Separate to the Ivanti situation, Microsoft published CVE-2026-42826 on 7 May 2026. CVSS score: 10.0. The flaw is classified as exposure of sensitive information to an unauthorised actor in Azure DevOps, allowing an unauthenticated attacker to disclose information over a network.
Azure DevOps is the platform many development teams and IT departments use to manage code repositories, pipelines, and project tracking. A CVSS 10.0 means the vulnerability is trivially exploitable, requires no authentication, and has maximum impact across confidentiality, integrity, and availability.
This is not in the actively exploited category yet. But a 10.0 with no authentication requirement and network access is the kind of flaw that moves from theoretical to weaponised quickly. If your business or your MSP uses Azure DevOps, this needs to be on your patching radar immediately.
Also published in the same Microsoft batch: CVE-2026-33823 (CVSS 9.6, improper authorisation in Microsoft Teams allowing information disclosure) and CVE-2026-35428 (CVSS 9.6, command injection in Azure Cloud Shell). The pattern is consistent: multiple high-severity Microsoft cloud infrastructure flaws published simultaneously, some requiring authorisation, some not.
Why This Pattern Matters for Small Businesses
The immediate reflex is to dismiss both stories as enterprise problems. Ivanti EPMM is expensive specialist software. Azure DevOps is for developers. Neither is on a 15-person accountancy firm’s radar.
That reflex is incorrect, for two reasons.
First, your managed service provider almost certainly uses both. Your MSP manages mobile devices across dozens of clients. If they run Ivanti EPMM and it is compromised, the attacker has access to the management plane for your devices alongside every other client on that platform. Supply chain compromise is not a theoretical risk in 2026. It is the documented attack vector.
Second, the Microsoft Teams vulnerability (CVE-2026-33823, CVSS 9.6) is directly relevant to any business using Microsoft 365. Teams is not enterprise-only. It is sitting on the laptop of every employee in businesses of every size. Improper authorisation allowing information disclosure over a network is a credential and data exfiltration risk, not an abstract vulnerability.
The pattern here is not “big companies have complicated problems.” The pattern is: the platforms that small businesses run on, and the MSPs they trust to manage those platforms, are under sustained, active attack.
How This Gives You an Edge
Businesses that understand their exposure to managed service provider vulnerabilities have a genuine procurement advantage. When evaluating an MSP, you can now ask a specific, informed question: do you use Ivanti EPMM, and have you applied the May 2026 patches? A competent MSP will answer immediately. An incompetent one will fumble.
The same logic applies to Azure DevOps. If your business uses a development supplier or IT contractor who manages pipelines on Azure DevOps, you have standing to ask whether CVE-2026-42826 has been mitigated. Asking the question signals that you are not a soft target. Soft targets get attacked first.
Cyber Essentials certification requires that critical patches be applied within 14 days. If your current provider cannot confirm patch status for actively exploited vulnerabilities within hours of a Ivanti advisory, that is a certification compliance failure, not just a security posture concern. Document the conversation.
Making the Business Case
Three arguments for internal escalation:
The MDM risk is a business continuity risk. If your mobile device management platform is compromised, an attacker can wipe, reconfigure, or monitor every managed device in your organisation. The operational disruption is not a data breach in the traditional sense; it is the loss of control over your entire mobile estate. Insurance policies vary on how they treat this. Know yours.
Supply chain exposure is your exposure. Under UK GDPR, you are responsible for the security of personal data processed by your data processors, including your MSP. If your MSP’s Ivanti EPMM instance is compromised and your employee or customer data is exfiltrated as a result, the ICO’s accountability framework points at you, not just them. Your contract with your MSP should include patch cadence obligations. If it does not, it needs to.
The cost of asking is zero. Emailing your MSP today to ask for confirmation that the Ivanti EPMM patches have been applied costs nothing. The cost of not asking, if the answer turns out to be no, is measurable in incident response fees, ICO notification obligations, and reputational damage.
What to Do Before Friday
-
Ask your MSP directly. Send a brief email today: do you use Ivanti EPMM to manage our devices, and have you applied the patches released in the May 2026 advisory? Request written confirmation. Keep the response.
-
Check your Microsoft 365 environment. CVE-2026-33823 affects Microsoft Teams. Ensure your Microsoft 365 tenant is set to receive automatic updates, and verify that Teams is on the current release. In the Teams desktop client: Settings, About Teams, check the version number against Microsoft’s published current release.
-
Review your Azure DevOps exposure. If your business or any supplier uses Azure DevOps, identify who manages the instance and request confirmation that CVE-2026-42826 has been addressed. If it is a Microsoft-hosted instance, Microsoft will patch it. If it is self-hosted, that patch needs applying manually.
-
Review your MSP contract. Locate the section covering patch management obligations. If it does not specify a maximum time-to-patch for critical vulnerabilities, raise it at your next review. The Cyber Essentials standard requires 14 days for internet-facing systems. Your contract should say at least that.
-
Log this as a risk item. If you maintain a risk register (and you should, even informally), add a line: MDM platform supply chain risk, owner: MSP relationship contact, action: confirmation of patch status, due: today. Having a written record that you identified and pursued the risk is material if you ever face an ICO investigation.
The intelligence picture on 8 May 2026 is clear. Active exploitation of mobile device management infrastructure is confirmed. Multiple high-severity Microsoft cloud flaws were published in the last 24 hours. The businesses that come out of this without an incident are the ones that asked the right questions today, not the ones that waited for their MSP to volunteer the information.