Critical Ivanti EPMM Zero-Day Vulnerabilities Exploited in Active Attacks
Ivanti has recently released security patches to address two critical vulnerabilities in its Endpoint Manager Mobile (EPMM) software, both of which have been actively exploited in zero-day attacks. These vulnerabilities, identified as CVE-2026-1281 and CVE-2026-1340, each carry a CVSS severity score of 9.8, indicating their critical nature.
Details of the Vulnerabilities:
– CVE-2026-1281: This vulnerability involves a code injection flaw that allows unauthenticated remote code execution.
– CVE-2026-1340: Similar to the first, this is another code injection vulnerability enabling unauthenticated remote code execution.
These vulnerabilities affect the following versions of EPMM:
– Versions 12.5.0.0 and prior, 12.6.0.0 and prior, and 12.7.0.0 and prior (fixed in RPM 12.x.0.x).
– Versions 12.5.1.0 and prior and 12.6.1.0 and prior (fixed in RPM 12.x.1.x).
It’s important to note that the RPM patch does not persist through version upgrades and must be reapplied if the appliance is updated to a new version. A permanent fix is scheduled for release in EPMM version 12.8.0.0 later in the first quarter of 2026.
Active Exploitation and Advisory:
Ivanti has acknowledged a limited number of customers whose systems have been exploited at the time of disclosure. The company has not provided specific details about the threat actors’ tactics due to insufficient information. The vulnerabilities are associated with the In-House Application Distribution and the Android File Transfer Configuration features of EPMM. Other Ivanti products, such as Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), and Ivanti Sentry, are not affected.
Technical Analysis and Indicators of Compromise:
In previous attacks targeting older EPMM vulnerabilities, two primary forms of persistence were observed:
1. Web Shells: Malicious scripts that allow remote control over the compromised system.
2. Reverse Shells: Connections initiated from the compromised system to an attacker’s system, enabling command execution.
Successful exploitation of these vulnerabilities can lead to arbitrary code execution on the appliance. Given that EPMM contains sensitive information about managed devices, this poses a significant risk.
Detection and Mitigation Steps:
Administrators are advised to examine the Apache access log located at `/var/log/httpd/https-access_log` for signs of exploitation. The following regular expression can help identify suspicious activity:
“`
^(?!127\.0\.0\.1:\d+.$).?\/mifs\/c\/(aft|app)store\/fob\/.?404
“`
Legitimate use of the affected features will result in 200 HTTP response codes in the Apache access log, whereas successful or attempted exploitation will cause 404 HTTP response codes.
Additionally, administrators should review the following for unauthorized changes:
– EPMM Administrators: Check for new or recently modified administrator accounts.
– Authentication Configuration: Review SSO and LDAP settings for unauthorized alterations.
– Push Applications: Inspect for new applications pushed to mobile devices.
– Application Configurations: Examine changes to applications, including in-house applications.
– Policies: Look for new or recently modified policies.
– Network Configurations: Assess any changes to network or VPN configurations pushed to mobile devices.
Response to Compromise:
If signs of compromise are detected, Ivanti recommends the following steps:
1. Restore from Backup: Revert the EPMM device to a known good backup or build a replacement EPMM and migrate data to the new device.
2. Secure the Environment: After restoration, implement the following changes:
– Reset Local EPMM Account Passwords: Change passwords for all local accounts.
– Reset Service Account Passwords: Update passwords for LDAP and/or KDC service accounts used for lookups.
– Revoke and Replace Public Certificates: Replace the public certificate used for EPMM.
– Reset Other Service Account Passwords: Update passwords for any other internal or external service accounts configured with EPMM.
CISA’s Response:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-1281 to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies are required to apply the updates by February 1, 2026.
Conclusion:
The discovery and active exploitation of these critical vulnerabilities in Ivanti’s EPMM underscore the importance of timely patching and vigilant monitoring. Organizations using EPMM should promptly apply the available patches, monitor their systems for signs of compromise, and implement the recommended security measures to protect their networks and sensitive information.
