Urgent Alert: Ivanti EPMM Zero-Day Flaws Under Active Exploitation – Patch Now!

Immediate Threat: Ivanti EPMM Zero-Days Under Active Exploitation

In a critical development for enterprise mobility management, Ivanti has rushed out urgent security updates to address two severe zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) solution. These flaws are not theoretical; they are actively being exploited in the wild, posing an immediate and significant risk to organizations utilizing the platform. The urgency is further underscored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding one of these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, mandating swift action from federal agencies.

The Critical Vulnerabilities Unpacked

Both identified vulnerabilities carry a staggering CVSS score of 9.8, signaling their extreme severity. They are:

• CVE-2026-1281: A code injection vulnerability that allows attackers to achieve unauthenticated remote code execution (RCE).
• CVE-2026-1340: Another critical code injection flaw, also enabling unauthenticated remote code execution.

These vulnerabilities essentially grant unauthorized attackers the ability to run arbitrary code on affected EPMM appliances without needing legitimate credentials, opening the door to complete system compromise and data exfiltration.

Affected Versions and Patching Imperatives

The vulnerabilities impact a broad range of Ivanti EPMM versions:

• EPMM 12.5.0.0 and prior, 12.6.0.0 and prior, and 12.7.0.0 and prior (fixed in RPM 12.x.0.x)
• EPMM 12.5.1.0 and prior and 12.6.1.0 and prior (fixed in RPM 12.x.1.x)

It is crucial for administrators to note a significant caveat: the current RPM patch is temporary. It does not persist through a version upgrade and must be reapplied if the appliance is updated to a new version. A permanent fix is anticipated with the release of EPMM version 12.8.0.0, scheduled for later in Q1 2026.

Understanding the Attack Vector and Persistence

Ivanti has confirmed that CVE-2026-1281 and CVE-2026-1340 specifically target the In-House Application Distribution and Android File Transfer Configuration features within EPMM. Importantly, other Ivanti products such as Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), or Ivanti Sentry are not affected by these particular flaws.

Based on previous attacks targeting older EPMM vulnerabilities, Ivanti’s technical analysis reveals common attacker tactics for maintaining persistence. These include deploying web shells and reverse shells on compromised appliances, allowing threat actors continued access and control. Successful exploitation grants arbitrary code execution and access to sensitive information about devices managed by the appliance, potentially leading to lateral movement within the connected environment.

Detecting Compromise: A Proactive Approach

Organizations must act swiftly to determine if their systems have been compromised. Ivanti advises checking the Apache access log at /var/log/httpd/https-access_log for suspicious activity. Look for the following regular expression (regex) pattern:

^(?!127.0.0.1:d+ .*$).*?/mifs/c/(aft|app)store/fob/.*?404

Legitimate use of the affected features will result in 200 HTTP response codes, whereas attempted or successful exploitation will generate 404 HTTP response codes.

Beyond log analysis, a thorough review of configuration changes is essential:

• Scrutinize EPMM administrators for any new or recently modified accounts.
• Examine authentication configurations, including SSO and LDAP settings.
• Check for new push applications for mobile devices or unauthorized changes to existing ones.
• Review new or recently modified policies.
• Investigate any network configuration changes, particularly those pushed to mobile devices (e.g., VPN configurations).

Swift Remediation: Steps to Secure Your Environment

Should signs of compromise be detected, Ivanti strongly urges immediate action:

1. Restore the EPMM device from a known good backup, or build a replacement EPMM and migrate data.
2. Once the device is secured, implement the following critical changes:

• Reset the passwords for all local EPMM accounts.
• Reset passwords for LDAP and/or KDC service accounts used for lookups.
• Revoke and replace the public certificate used for your EPMM.
• Reset passwords for any other internal or external service accounts configured with the EPMM solution.

CISA’s Mandate: Federal Agencies on High Alert

The severity of CVE-2026-1281 has prompted CISA to add it to its KEV catalog. This requires all Federal Civilian Executive Branch (FCEB) agencies to apply the necessary updates by February 1, 2026. This federal directive underscores the critical nature of these vulnerabilities and serves as a strong recommendation for all organizations to prioritize patching and mitigation efforts.

For more details, visit our website.

Source: Link