Ivanti EPMM Zero-Days Plant Backdoors That Survive Patching

◆ DEEP DIVES

1. 01

   Ivanti EPMM Zero-Days: When Patching Isn't Enough and Your Entire Mobile Fleet Is at Stake

   <h3>The New Critical: Patch-Resistant Backdoors in Your MDM</h3><p>Palo Alto Networks Unit 42 disclosed that two critical <strong>Ivanti EPMM (Endpoint Manager Mobile) zero-days</strong> are under active exploitation with a particularly dangerous characteristic: the deployed backdoors <strong>survive patching</strong>. This is not a theoretical concern — it's confirmed in the wild.</p><p>The attack chain is severe:</p><ul><li><strong>Unauthenticated access</strong> — no credentials required to exploit</li><li>Persistent backdoors deployed on MDM servers that <strong>persist after remediation</strong></li><li>Compromise of the <strong>entire enterprise mobile fleet</strong> through the MDM control plane</li><li>Unauthorized admin accounts, anomalous MDM policy changes, and unexpected certificate issuance</li></ul><blockquote>Your MDM server controls enrollment, policy enforcement, certificate distribution, and remote wipe for every managed mobile device. An attacker with persistent access effectively owns every phone in your organization.</blockquote><h4>Why This Is Different from the Cisco SD-WAN Story</h4><p>The Cisco SD-WAN zero-day (covered extensively in previous briefings) is a patch-and-hunt scenario. Ivanti EPMM is worse: <strong>patching is necessary but insufficient</strong>. If you were compromised before patching, the attacker retains access. This follows Ivanti's pattern — recall the January 2024 Ivanti Connect Secure zero-days that similarly required factory resets beyond patching. At this point, Ivanti's repeated zero-day pattern warrants a strategic conversation about <strong>platform replacement</strong>.</p><h4>Parallel: Russian AI-Assisted Fortinet Exploitation</h4><p>Amazon published intelligence identifying a Russian threat group using <strong>AI to exploit weakly-configured Fortinet firewalls</strong>, breaching environments at scale. The key insight isn't the AI sophistication — it's that <strong>basic hygiene failures</strong> (default credentials, exposed management interfaces, unpatched firmware) are the actual vulnerability. AI just makes exploitation faster and more scalable. Combined with the separate report of <strong>600 FortiGate appliances breached</strong> in a single AI-assisted campaign, Fortinet edge devices are under active, scaled attack.</p><table><thead><tr><th>Vulnerability</th><th>Severity</th><th>Exploitation Status</th><th>Patch Sufficient?</th><th>Key Risk</th></tr></thead><tbody><tr><td>Ivanti EPMM zero-days (2)</td><td>Critical</td><td>Active — Unit 42 confirmed</td><td><strong>No</strong> — backdoors persist</td><td>Entire mobile fleet takeover</td></tr><tr><td>Fortinet FortiGate misconfigs</td><td>High</td><td>Active — Russian group + AI, 600+ devices</td><td>N/A — config + firmware issue</td><td>Perimeter breach at scale</td></tr><tr><td>Zyxel CPE/ONT (CVE-2025-13942)</td><td>Critical (9.8)</td><td>Not confirmed</td><td>Yes</td><td>Command injection via UPnP</td></tr><tr><td>SolarWinds Serv-U (<15.5.4)</td><td>Critical (multiple)</td><td>No exploitation observed</td><td>Yes</td><td>Access control / type confusion</td></tr></tbody></table>

   Action items

   • If running Ivanti EPMM: apply patches immediately, then initiate forensic investigation of all EPMM servers. Hunt for persistent backdoors, unauthorized admin accounts, anomalous MDM policy changes, and unexpected certificate issuance. If you cannot confirm a clean state, isolate EPMM infrastructure and consider re-enrolling all managed devices from a verified clean baseline.
   • Audit all Fortinet FortiGate appliances against CIS benchmarks by end of week: check default credentials, management interface exposure, and firmware currency. Sweep for IOCs from the 600-device AI-assisted campaign.
   • Evaluate Ivanti EPMM replacement with Microsoft Intune, VMware Workspace ONE, or equivalent by end of quarter. Document Ivanti's zero-day recurrence pattern as justification.
   • Patch Zyxel devices (CVE-2025-13942) and update SolarWinds Serv-U to v15.5.4+ this week. Verify WAN access is disabled on Zyxel devices.

   Sources:Anthropic's Claude Code Security rollout is an industry wakeup call · SANS NewsBites Vol. 28 Num. 15 · Unsupervised Learning NO. 518

2. 02

   AI Agents Are Leaking Credentials in Production — The Security Gap Is Now a Confirmed Vulnerability Class

   <h3>From Theoretical to Confirmed: Agent Credential Disclosure</h3><p>Multiple intelligence streams this cycle converge on a single conclusion: <strong>AI agents in production are a live, exploitable attack surface</strong> that your current security controls don't cover. This isn't a future risk — it's happening now across at least three confirmed vectors.</p><h4>Vector 1: OpenClaw — Credentials by Design Flaw</h4><p><strong>OpenClaw AI agents freely surrender passwords and bank details</strong> during normal operation. This isn't prompt injection — it's an architectural flaw where agents with access to sensitive data disclose it when asked or during routine interactions. No CVE exists because this isn't a traditional software bug; it's a <strong>category-level design failure</strong> in how agents handle secrets.</p><h4>Vector 2: Claude Code — RCE Before User Consent</h4><p>Check Point researchers found that Claude Code's <strong>project configuration files</strong> could trigger code execution <em>before the user accepted the startup trust dialog</em> (CVE-2025-59536, CVSS 8.7). A developer clones a repo, launches Claude Code, and malicious code runs before they've consented to anything. A separate flaw (CVE-2026-21852) enabled <strong>plaintext API key theft</strong> via config manipulation. Patches are available (v2.0.65+), but the attack class — weaponizing AI tool configs — is new and applies broadly.</p><h4>Vector 3: SSH Key Exfiltration via Prompt Injection</h4><p>Grith AI demonstrated that <strong>AI agents can be tricked into stealing SSH keys</strong> through prompt injection. Any AI coding assistant with filesystem access can be manipulated to read and exfiltrate credentials, private keys, and secrets. This is functionally equivalent to compromising a developer workstation — except the attack vector is a crafted prompt, not a phishing email.</p><h4>The Proliferation Problem</h4><p>CB Insights now tracks <strong>'Agentic Security' as a distinct investment category</strong> — a signal that the gap between agent deployment and agent security is large enough to be a market opportunity. Meanwhile, the capability surface is expanding rapidly:</p><table><thead><tr><th>Capability</th><th>Product</th><th>Security Implication</th></tr></thead><tbody><tr><td>Persistent memory across sessions</td><td>Claude Code</td><td>Sensitive data persisted outside DLP perimeter</td></tr><tr><td>Autonomous scheduled execution</td><td>Claude Cowork</td><td>Unmonitored operations with no human-in-the-loop</td></tr><tr><td>19-model orchestration with sub-agents</td><td>Perplexity Computer ($200/mo)</td><td>Dynamic privilege expansion; forensic complexity</td></tr><tr><td>Custom autonomous workflow agents</td><td>Notion Custom Agents</td><td>New shadow IT category with data access</td></tr><tr><td>Screen reading / computer vision</td><td>Claude (Vercept acquisition)</td><td>Agent reads any on-screen content including credentials</td></tr></tbody></table><blockquote>AI agents are the new shadow IT: they hold real credentials to real systems, they're proliferating faster than security teams can govern them, and the tooling to monitor them doesn't exist yet.</blockquote><h4>The Measurement Gap Confirms the Security Gap</h4><p>CB Insights reports that enterprises <strong>can't measure AI agent ROI</strong> — which means they also can't measure AI agent risk. If you can't tell what an agent is doing for the business, you certainly can't tell what it's doing to your security posture. The accounting AI agent startup <strong>Basis</strong> just raised a $100M Series B — agents touching PII, bank credentials, and financial statements at scale, in an industry where SOX compliance demands demonstrable controls.</p>

   Action items

   • Red-team every AI agent deployment (production and pilot) for credential disclosure by March 15. Test direct requests, conversational elicitation, and prompt injection. If any agent has access to a credential store, assume it's a leakage vector until proven otherwise.
   • Ensure Claude Code is updated to v2.0.65+ across all engineering teams this week. Establish policy: AI coding tools must not launch in directories with untrusted project configs. Rotate API keys for developers who used vulnerable versions.
   • Inventory all AI agents across the organization — including shadow deployments by business units — and map their credential types, data access scopes, and action boundaries by end of March.
   • Restrict AI agent filesystem access to SSH keys, API tokens, and secrets. Store credentials in paths inaccessible to AI agents and monitor agent file read operations.
   • Build SIEM detection rules for agent service accounts: anomalous API call volumes, data access outside normal patterns, and action sequences crossing trust boundaries.

   Sources:Red Lines · ai agent predictions · SANS NewsBites Vol. 28 Num. 15 · Unsupervised Learning NO. 518 · This Week on TITV · Trump Orders the Federal Government to Stop Doing Business with Anthropic

3. 03

   China's Vulnerability-to-Weapon Pipeline Is Now Institutional Policy — Adjust Your Patch Prioritization

   <h3>From Informal to Formalized: A State-Level Zero-Day Supply Chain</h3><p>Recorded Future analysis synthesized across multiple intelligence streams reveals that China has built a <strong>systematic, legally mandated pipeline</strong> that captures vulnerabilities from the world's largest security research community and channels them directly into military offensive operations. This isn't a new revelation, but the data points now form a complete picture that should change how you prioritize patching.</p><h4>The Pipeline in Numbers</h4><table><thead><tr><th>Indicator</th><th>Detail</th><th>Defensive Implication</th></tr></thead><tbody><tr><td><strong>RMSV Law</strong></td><td>Mandatory 2-day disclosure to Chinese government before any public disclosure</td><td>Every vulnerability found by Chinese researchers goes to the state before vendors</td></tr><tr><td><strong>PLA Cyberspace Force</strong></td><td>Dedicated military unit created April 2024</td><td>Formalized operationalization of captured vulnerabilities</td></tr><tr><td><strong>Public disclosures declining</strong></td><td>Despite growing Chinese research base</td><td>Public CVE counts understate actual vulnerability discovery</td></tr><tr><td><strong>Zero-days observed: 5 in 2024</strong></td><td>Down from 12 in 2023</td><td>Better OPSEC, not fewer capabilities</td></tr><tr><td><strong>Matrix Cup prize pool</strong></td><td>$2.75M (2x Pwn2Own)</td><td>State-incentivized talent and vulnerability pipeline</td></tr><tr><td><strong>Perimeter device targeting</strong></td><td>40% of PRC attacks target network edge</td><td>Firewalls, VPN concentrators, SD-WAN are primary targets</td></tr><tr><td><strong>Zero-day exploitation</strong></td><td>Up 42% YoY</td><td>Stockpile is being actively deployed</td></tr></tbody></table><blockquote>The absence of observed zero-days does not equal the absence of a zero-day stockpile. China's declining public disclosures are the direct result of a legal capture mechanism, not reduced research activity.</blockquote><h4>What This Means for Your Patch Strategy</h4><p>Traditional patch prioritization weights CVSS score, exploit availability, and asset criticality. This intelligence adds a new dimension: <strong>researcher community composition</strong>. Products with significant Chinese security researcher communities — browsers, mobile operating systems, enterprise SaaS, and especially network appliances — should receive elevated patch priority because vulnerabilities in these products are more likely to be captured by the RMSV pipeline before public disclosure.</p><p>The convergence with CrowdStrike's data is telling: PRC actors targeted <strong>perimeter devices in 40% of attacks</strong>, zero-day exploitation is up <strong>42% year-over-year</strong>, and cloud intrusions by state-nexus actors surged <strong>266%</strong>. The pipeline is producing results.</p><h4>The Open-Weight Proliferation Dimension</h4><p>Reflection AI has raised <strong>over $2 billion</strong> to build frontier open-weight agent models — explicitly described as "the Western equivalent of DeepSeek." Chinese labs like DeepSeek have already proven this model works. When frontier AI capabilities become freely downloadable without API restrictions or safety controls, the offensive capability uplift for any actor — including those with access to China's vulnerability stockpile — is significant. <em>Open-weight frontier models with agentic capabilities are a proliferation event for offensive tooling.</em></p>

   Action items

   • Update patch prioritization framework this quarter to weight products with significant Chinese security researcher communities (network appliances, browsers, mobile OS, enterprise SaaS) higher, independent of CVSS score.
   • Conduct a comprehensive review of all network edge devices (firewalls, VPN concentrators, SD-WAN controllers, load balancers) this quarter. Ensure firmware is current, unnecessary services disabled, and management interfaces not internet-exposed.
   • When Reflection AI or similar labs release frontier open-weight agent models, task threat intelligence to assess offensive capability uplift within 48 hours — same process as a new exploit framework release.

   Sources:Unsupervised Learning NO. 518 · SANS NewsBites Vol. 28 Num. 15 · 🎙️"We Are the Only Ones Who Would Build It"