EPMM is the system that controls which mobile devices can access corporate email, applications, and internal networks; a successful attack gives adversaries the ability to impersonate trusted devices, extract corporate credentials, and move laterally into production systems without triggering standard perimeter controls. Active exploitation confirmed by Ivanti and CISA means attacks are occurring now, not hypothetically, and the window before opportunistic threat actors develop commodity exploits is closing. Organizations that rely on EPMM for workforce mobility and fail to patch before May 10, 2026 face the compounding risk of regulatory scrutiny under any applicable data protection framework, plus the operational cost of rebuilding trust in every managed device if credentials or certificates are confirmed compromised.
You Are Affected If
You run Ivanti EPMM on-premises (not Ivanti cloud-hosted) in your environment
Your EPMM version is earlier than 12.6.1.1, 12.7.0.1, or 12.8.0.1 on your respective release branch
Your EPMM management interface or API endpoints are reachable from the internet or untrusted network segments without IP allowlisting
You have not applied the Ivanti May 2026 Security Advisory patches as of today
Your organization uses EPMM to manage devices that access regulated data, privileged systems, or sensitive internal applications
Board Talking Points
Attackers are actively exploiting a flaw in Ivanti EPMM, the system that controls mobile device access to our corporate network, and the U.S. government has issued a mandatory remediation deadline of May 10, 2026.
We must apply vendor-issued security updates to all affected EPMM servers within 48 hours and rotate associated credentials; IT and security teams have been directed to begin immediately.
If left unpatched, attackers who compromise EPMM gain the ability to impersonate trusted devices and access internal systems, which could result in a broader breach requiring regulatory notification and significant recovery costs.
HIPAA — EPMM managing mobile devices used by clinical or administrative staff with access to protected health information creates direct exposure under HIPAA Security Rule requirements for access control and audit controls
GDPR / Data Protection — EPMM credential and certificate stores may contain data on EU-based employees or customers; compromise of device management infrastructure may trigger breach notification obligations
FISMA / FedRAMP — Federal agencies are subject to CISA KEV mandatory remediation by May 10, 2026 under BOD 22-01; non-compliance is a direct regulatory violation
