Ivanti has released security patches for two critical vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) that have been exploited as zero‑day attacks in the wild. One of the flaws has been formally added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.
The affected issues are critical‑severity code injection flaws that allow unauthenticated remote code execution (RCE):
- CVE‑2026‑1281 (CVSS: 9.8) – Enables unauthenticated attackers to execute arbitrary code
- CVE‑2026‑1340 (CVSS: 9.8) – Enables unauthenticated attackers to execute arbitrary code
The vulnerabilities impact the following EPMM releases:
- EPMM 12.5.0.0 and earlier, 12.6.0.0 and earlier, and 12.7.0.0 and earlier
- Remediated via RPM 12.x.0.x
- EPMM 12.5.1.0 and earlier, and 12.6.1.0 and earlier
- Remediated via RPM 12.x.1.x
Ivanti cautioned that these RPM-based fixes are not persistent across version upgrades and must be reapplied following any appliance upgrade. A permanent remediation will be provided in EPMM version 12.8.0.0, which is scheduled for release later in Q1 2026.
In an advisory, Ivanti stated it is aware of a very limited number of customers whose deployments had been compromised prior to disclosure. However, the company noted that it lacks sufficient insight into attacker tradecraft to provide reliable atomic indicators of compromise (IOCs) at this time.
Ivanti confirmed that both CVE‑2026‑1281 and CVE‑2026‑1340 affect the In‑House Application Distribution and Android File Transfer Configuration features. The flaws do not impact other Ivanti products, including Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), or Ivanti Sentry.
According to Ivanti’s technical assessment, prior campaigns against earlier EPMM vulnerabilities have typically resulted in persistent access via web shells and reverse shells deployed on compromised appliances.
“Successful exploitation of the EPMM appliance allows arbitrary code execution,” Ivanti stated. “Beyond enabling lateral movement, EPMM also stores sensitive information related to the devices it manages.”
Administrators are advised to inspect the Apache access log located at:
/var/log/httpd/https-access_log
Ivanti explained that legitimate requests generate HTTP 200 responses, while exploit attempts typically result in HTTP 404 responses, which can be identified using the provided regular expression pattern.
Customers are also encouraged to review their environments for unauthorized configuration changes, including:
- Newly created or modified EPMM administrator accounts
- Changes to authentication settings, including SSO and LDAP
- New push applications deployed to mobile devices
- Modifications to existing app configurations, including in‑house apps
- New or altered policies
- Network or VPN configuration changes pushed to endpoints
If evidence of compromise is found, Ivanti strongly recommends restoring the appliance from a known‑good backup or deploying a new EPMM instance and migrating data. Once recovery is complete, the following remediation steps should be performed:
- Reset passwords for all local EPMM accounts
- Reset credentials for LDAP and/or KDC service accounts
- Revoke and replace the public TLS certificate used by EPMM
- Reset passwords for any additional internal or external service accounts integrated with EPMM
The incident has prompted CISA to add CVE‑2026‑1281 to the KEV catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies apply the required updates no later than February 1, 2026.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
