Ivanti Alerts on Two EPMM Vulnerabilities Exploited in Zero-Day Attacks
Ivanti has revealed two significant vulnerabilities in its Endpoint Manager Mobile (EPMM) software, identified as CVE-2026-1281 and CVE-2026-1340. These vulnerabilities are associated with code injection, enabling remote attackers to execute arbitrary code on affected devices without authentication. Both vulnerabilities have received a CVSS score of 9.8, indicating a critical severity level.
Ivanti has reported that a limited number of its customers’ systems may have already been compromised due to these issues. As a precaution, the company has issued RPM scripts to mitigate the vulnerabilities for specific EPMM versions:
- Use RPM 12.x.0.x for EPMM versions 12.5.0.x, 12.6.0.x, and 12.7.0.x.
- Use RPM 12.x.1.x for EPMM versions 12.5.1.0 and 12.6.1.0.
Applying the patches does not require downtime, and there should be no functional impact. However, Ivanti advises that these hotfixes need to be reapplied if the appliance is upgraded, as they do not persist through upgrades. A permanent fix is expected to be included in version 12.8.0.0, set for release in the first quarter of 2026.
Threat Landscape and Impact of Vulnerabilities
Successful exploitation of these vulnerabilities allows attackers extensive access to sensitive information stored on the EPMM platform. This includes:
- Administrator and user account credentials.
- Email addresses.
- Details of managed devices, such as phone numbers, IP addresses, and installed applications.
- Device identifiers, including IMEI and MAC addresses.
If location tracking is enabled, attackers could also potentially acquire GPS coordinates and the locations of the nearest cell towers. Furthermore, the vulnerabilities allow attackers to manipulate configurations via the EPMM API or web console, including authentication settings.
Zero-Day Exploitation and Mitigation
Both vulnerabilities have been exploited as zero-days. Despite this, Ivanti has limited indicators of compromise due to a small number of confirmed affected customers. The company has provided technical guidance for detecting potential exploitation and post-exploitation behavior.
Exploits are triggered through the In-House Application Distribution and Android File Transfer Configuration features. Unusual activity can be seen in the Apache access log at /var/log/httpd/https-access_log. Ivanti suggests using the following regular expression to identify potential exploitation:
^(?!127.0.0.1:d+ .*$).*?/mifs/c/(aft|app)store/fob/.*?404
This expression highlights external requests targeting vulnerable endpoints that generate 404 response codes, indicating a potential compromise. In contrast, legitimate requests typically return an HTTP 200 response.
If an administrator suspects a device has been compromised, Ivanti advises against cleaning the system. Instead, they recommend restoring EPMM from a known good backup or rebuilding the appliance and migrating data to a new system.
Recommendations for Defense
Ivanity also advises reviewing logs from Sentry, as EPMM typically operates in a DMZ with limited corporate network access. Sentry is designed to tunnel specific traffic from mobile devices to internal assets, making it crucial for security assessments.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2026-1281 in its Known Exploited Vulnerabilities (KEV) catalog, underscoring its active exploitation. Federal agencies must implement vendor mitigations or cease use of affected systems by February 1, 2026, per Binding Operational Directive 22-01. Currently, it is unclear why CISA has not listed both vulnerabilities in the KEV.
This is not the first incidence of vulnerabilities in Ivanti’s EPMM software; another set of zero-day vulnerabilities was disclosed previously and addressed in May 2025.
For ongoing updates and resources, stay connected with Filmogaz.com.
