CISA Flags Two Actively Exploited Ivanti EPMM Zero-Day Vulnerabilities

CyberDefender 4 mins0

Ivanti has disclosed two critical security flawsCVE-2026-1281 and CVE-2026-1340 — affecting Ivanti Endpoint Manager Mobile (EPMM). Both vulnerabilities are actively exploited in the wild and allow unauthenticated remote attackers to execute arbitrary code on vulnerable systems.

What’s Going On?

These vulnerabilities are code injection flaws located in specific EPMM features. If exploited, an attacker does not need credentials and can gain full control over the affected appliance.

Because these are zero-day vulnerabilities, attackers were already abusing them before patches were widely available.

Vulnerability Breakdown

CVE-2026-1281

  • Vulnerability type: Code injection leading to unauthenticated remote code execution (RCE)
  • CVSS score: 9.8 (Critical)
  • Status: Listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog
  • Affected functionality:
    • In-House Application Distribution
    • Android File Transfer Configuration

CVE-2026-1340

  • Vulnerability type: Code injection enabling unauthenticated RCE
  • CVSS score: 9.8 (Critical)
  • Exploitation status: Confirmed active exploitation alongside CVE-2026-1281
  • Affected functionality: Same EPMM components as CVE-2026-1281

Why This Is Serious

A successful exploit of either vulnerability allows attackers to:

  • Execute arbitrary commands on the EPMM appliance
  • Access sensitive data such as user accounts, device records, and administrative details
  • Alter configurations that are pushed to managed mobile devices
  • Establish persistence (for example, via web shells or reverse shells)
  • Potentially pivot deeper into the internal network

Signs of Exploitation

Organizations should watch for:

  • Unusual or malformed HTTP requests
  • Errors or anomalies in Apache access logs on EPMM systems
  • Evidence of unauthorized files, web shells, or suspicious processes

These behaviors have already been observed in real-world attacks.

Mitigation and Patching

  • Ivanti has released temporary RPM hotfixes to address both vulnerabilities — these should be applied immediately
  • A permanent fix is scheduled for EPMM version 12.8.0.0
  • Hotfixes may not persist through upgrades, so patches must be reapplied after any update
  • If compromise is suspected:
    • Restore from a known-good backup
    • Rotate credentials
    • Perform a full incident response review

Affected Versions

The following EPMM versions are impacted:

  • 12.5.0.0 and earlier
  • 12.6.0.0 and earlier
  • 12.7.0.0 and earlier
  • Associated 12.5.1.x and 12.6.1.x release lines

Recommended Actions

  • Patch or mitigate vulnerable EPMM systems without delay
  • Actively review logs and system activity for indicators of compromise
  • Treat these vulnerabilities as high-priority security incidents due to confirmed exploitation

CyberDefender