How is CVE-2026-10727 exploited?

Network reachability (required): The attacker must reach the EPMM service over the network; the attack vector is network-exposed (AV:N). Authentication (required): A high-privilege (administrative) account is required; no path exists for unauthenticated exploitation (PR:H). Victim interaction (not-required): No user action or social engineering is needed; the attacker triggers exploitation entirely on their own (UI:N). Attack complexity (info): Exploit conditions are straightforward and reliable, with no race conditions or special environmental factors required (AC:L).

What is the impact of CVE-2026-10727?

Reads all data accessible to the root user, including credentials, certificates, device enrollment records, and MDM policy configurations stored on the host. Modifies or deletes any file on the system, including EPMM configuration, enrolled-device data, and OS binaries. Installs persistent backdoors or malware running as root, giving the attacker lasting control even after credential rotation. Crashes or disables the EPMM service entirely, blocking mobile device management operations for all enrolled devices.

Back to search

HIGHCVE-2026-10727Published 2026-06-09Modified 2026-06-10CNA ivanti

CVE-2026-10727: An OS command injection vulnerability in Ivanti EPMM before 12

An OS command injection vulnerability in Ivanti EPMM before 12.9.0.1, 12.8.0.3 and 12.7.0.2 versions allows a remote authenticated attacker to execute arbitrary commands as root

CVSS v3.1: 7.2
Severity: HIGH
Fixed in: 12.7.0.2
Affected Products: 1

HarborGuard Analysis

Synopsis

An OS command injection vulnerability in Ivanti Endpoint Manager Mobile (EPMM) allows a remote, authenticated attacker with administrative privileges to inject and execute arbitrary operating system commands as the root user. The attack is carried out over the network and requires no victim interaction. Successful exploitation gives the attacker full control of the underlying host, including reading, modifying, or destroying all data and services on the system. A patched-image rebuild at versions 12.7.0.2, 12.8.0.3, or 12.9.0.1 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including the Ivanti advisory and NVD) within minutes of publication and matched against all customer images, including custom-built images that bundle EPMM components. Any image carrying a vulnerable version of EPMM is flagged automatically in both registry scans and pipeline CI checks.

Available

Triage

HarborGuard scores this CVE at CVSS 7.2 HIGH and surfaces it accordingly in each customer environment, weighted further by any per-environment compliance policies (for example, stricter thresholds for internet-facing mobile management infrastructure). Findings are routed to the appropriate team inbox based on each organization's configured ownership rules.

Available

Patch

A patched-image rebuild pinned to the fixed versions (12.7.0.2, 12.8.0.3, or 12.9.0.1, depending on the release branch in use) is available on HarborGuard for every environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the EPMM service over the network; the attack vector is network-exposed (AV:N).
AuthenticationRequired
A high-privilege (administrative) account is required; no path exists for unauthenticated exploitation (PR:H).
Victim interactionNot required
No user action or social engineering is needed; the attacker triggers exploitation entirely on their own (UI:N).
Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions or special environmental factors required (AC:L).

Blast Radius

Reads all data accessible to the root user, including credentials, certificates, device enrollment records, and MDM policy configurations stored on the host.
Modifies or deletes any file on the system, including EPMM configuration, enrolled-device data, and OS binaries.
Installs persistent backdoors or malware running as root, giving the attacker lasting control even after credential rotation.
Crashes or disables the EPMM service entirely, blocking mobile device management operations for all enrolled devices.

How HarborGuard Handles This

Available on HarborGuard: images containing Ivanti EPMM versions prior to 12.7.0.2, 12.8.0.3, or 12.9.0.1 are matched against this CVE within minutes of advisory ingestion. Where a fixed version is available on the same release branch as the affected image, a patched rebuild is made available immediately. For customers who opt into auto-remediation, the typical flow is: rebuilt image at the patched version, automated regression run, and a PR opened against affected workloads. For high-severity CVEs with available fixes, median time from CVE publication to merged patch PR is around 90 minutes for environments with auto-remediation enabled. Given that exploitation requires only an admin credential (not physical or adjacent-network access), teams that cannot patch immediately should consider restricting EPMM management interfaces to trusted IP ranges via network policy, rotating administrative credentials, and reviewing recent admin-session audit logs for unexpected command activity.

See how HarborGuard automates this

Fix available

12.7.0.212.8.0.312.9.0.1

Affected packages

Ivanti / Endpoint Manager Mobile
Fixed in 12.9.0.1, 12.8.0.3, 12.7.0.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

hub.ivanti.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available