Ivanti has released security updates to address two security flaws that affect Ivanti Endpoint Manager Mobile (EPMM) and were exploited in a zero-day attack. One of them was added to the Known Exploited Vulnerabilities (KEV) Catalog by the US Cybersecurity and Infrastructure Security Agency (CISA).
The critical severity vulnerabilities are:
CVE-2026-1281 (CVSS score: 9.8) – Code injection that allows attackers to perform unauthenticated remote code execution CVE-2026-1340 (CVSS score: 9.8) – Code injection that allows attackers to perform unauthenticated remote code execution
These affect the following versions:
EPMM 12.5.0.0 and earlier, 12.6.0.0 and earlier, and 12.7.0.0 and earlier (fixed in RPM 12.x.0.x) EPMM 12.5.1.0 and earlier and 12.6.1.0 and earlier (fixed in RPM 12.x.1.x)
However, note that RPM patches do not persist across version upgrades and must be reapplied if you upgrade your appliance to a new version. This vulnerability is expected to be permanently addressed in EPMM version 12.8.0.0, released later in Q1 2026.
“At the time of disclosure, we recognize that the number of customers whose solutions have been exploited is extremely limited,” Ivanti said in its advisory, adding that there is a lack of sufficient information about the threat actor’s tactics to provide proven and reliable atomic indicators.
The company noted that CVE-2026-1281 and CVE-2026-1340 impact internal application distribution and Android file transfer configuration functionality. These shortcomings do not affect other products such as Ivanti Neurons for MDM, Ivanti Endpoint Manager (EPM), or Ivanti Sentry.
Ivanti said in its technical analysis that two forms of persistence are typically observed based on previous attacks targeting older vulnerabilities in EPMM. This includes deploying a web shell and reverse shell to configure persistence on the compromised appliance.
“Successful exploitation of the EPMM appliance could result in arbitrary code execution on the appliance,” Ivanti noted. “Apart from lateral movement into the connected environment, EPMM also contains sensitive information about the devices being managed by the appliance.”
Users are advised to check the Apache access logs at ‘/var/log/httpd/https-access_log’ and look for signs of exploit attempts or successes using the regular expression (regex) pattern below.
^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404
“Legitimate use of these features will result in a 200 HTTP response code being logged in the Apache access logs, while successful or attempted exploitation will result in a 404 HTTP response code,” it explains.
Additionally, customers are asked to review the following to look for evidence of unauthorized configuration changes:
EPMM administrators for new or recently changed administrators Authentication configurations, including SSO and LDAP settings New push applications for mobile devices Configuration changes for applications pushed to devices (including in-house applications) New or recently changed policies Network configuration changes (including network or VPN configurations pushed to mobile devices)
Additionally, if indicators of compromise are detected, Ivanti encourages users to restore the EPMM device from a known good backup or build a replacement EPMM before migrating data to the device. After performing the steps, it is important to make the following changes to protect your environment.
Reset the password for the local EPMM account Perform a lookup Reset the password for the LDAP and/or KDC service account Revoke and replace the public certificate used for EPMM Reset the password for other internal or external service accounts configured in the EPMM solution
Due to this development, CISA added CVE-2026-1281 to the KEV Catalog and required Federal Civilian Executive Branch (FCEB) agencies to apply the update by February 1, 2026.
Source link
