Critical Ivanti EPMM Zero-Day Vulnerabilities Exploited: Immediate Security Updates Released
Ivanti has recently issued critical security updates to address two zero-day vulnerabilities in its Endpoint Manager Mobile (EPMM) software. These vulnerabilities have been actively exploited, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to include one of them in its Known Exploited Vulnerabilities (KEV) catalog.
Details of the Vulnerabilities:
1. CVE-2026-1281: This is a code injection vulnerability with a CVSS score of 9.8, allowing unauthenticated remote code execution.
2. CVE-2026-1340: Similar to the first, this code injection flaw also has a CVSS score of 9.8 and permits unauthenticated remote code execution.
These vulnerabilities affect the following EPMM versions:
– 12.5.0.0 and prior
– 12.6.0.0 and prior
– 12.7.0.0 and prior
Ivanti has released patches in the form of RPMs for versions 12.x.0.x and 12.x.1.x. However, it’s important to note that these RPM patches do not persist after a version upgrade and must be reapplied if the appliance is updated. A permanent fix is scheduled for release in EPMM version 12.8.0.0 later in Q1 2026.
Scope and Impact:
The vulnerabilities specifically affect the In-House Application Distribution and the Android File Transfer Configuration features of EPMM. Other Ivanti products, such as Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), and Ivanti Sentry, are not impacted.
Ivanti has acknowledged a limited number of customers whose systems have been exploited. Due to insufficient information about the attackers’ tactics, the company cannot provide specific indicators of compromise at this time.
Recommended Actions:
To detect potential exploitation attempts, administrators should examine the Apache access log located at /var/log/httpd/https-access_log using the following regular expression pattern:
“`
^(?!127\.0\.0\.1:\d+.$).?\/mifs\/c\/(aft|app)store\/fob\/.?404
“`
Legitimate use of these features will result in 200 HTTP response codes, whereas exploitation attempts will generate 404 HTTP response codes.
Administrators are also advised to review the following for unauthorized changes:
– New or recently modified administrator accounts
– Authentication configurations, including SSO and LDAP settings
– New push applications for mobile devices
– Changes to applications pushed to devices, including in-house applications
– New or recently modified policies
– Network configuration changes, including VPN configurations
Mitigation Steps:
If signs of compromise are detected, Ivanti recommends restoring the EPMM device from a known good backup or building a replacement EPMM and migrating data to the new device. Subsequently, the following actions should be taken to secure the environment:
– Reset passwords for all local EPMM accounts
– Reset passwords for LDAP and/or KDC service accounts
– Revoke and replace public certificates
– Review and update firewall rules
– Monitor logs for any further suspicious activity
Conclusion:
Given the critical nature of these vulnerabilities and their active exploitation, it is imperative for organizations using Ivanti EPMM to apply the provided patches immediately and follow the recommended mitigation steps to safeguard their systems.
